Edit tour

Windows Analysis Report
DocuFlex.exe

Overview

General Information

Sample name:	DocuFlex.exe
Analysis ID:	1618576
MD5:	134873893d8eaf390fa9779e814c6a3c
SHA1:	d3a88b605259789add1ca8c9033c96c042fa6bd1
SHA256:	571fdc22749fce2dd5865022a0d43a1cd48a02e3e9a883d010789c50796e2aff
Infos:

Detection

Score:	42
Range:	0 - 100
Confidence:	100%

Compliance

Score:	64
Range:	0 - 100

Signatures

Suricata IDS alerts for network traffic

Joe Sandbox ML detected suspicious sample

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64_ra

DocuFlex.exe (PID: 4040 cmdline: "C:\Users\user\Desktop\DocuFlex.exe" MD5: 134873893D8EAF390FA9779E814C6A3C)

dllhost.exe (PID: 2844 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

cmd.exe (PID: 2036 cmdline: "C:\Windows\System32\cmd.exe" /c start /b node . MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

node.exe (PID: 2660 cmdline: node . MD5: 1CBBF81FC27F911C3E1239DFCFF5E6C6)

cmd.exe (PID: 3312 cmdline: C:\Windows\system32\cmd.exe /d /s /c "clipboard.exe --paste" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

clipboard.exe (PID: 2464 cmdline: clipboard.exe --paste MD5: BDF7D4CCD2CE8CC7AB6AE80914496799)

cmd.exe (PID: 4952 cmdline: C:\Windows\system32\cmd.exe /d /s /c "clipboard.exe --copy" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

clipboard.exe (PID: 6044 cmdline: clipboard.exe --copy MD5: BDF7D4CCD2CE8CC7AB6AE80914496799)

chrome.exe (PID: 3920 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --new-window --user-data-dir=C:\Users\user\AppData\Local\PDFInstaller\chrome-profile --start-maximized --app=http://localhost:56097 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6756 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Local\PDFInstaller\chrome-profile" --mojo-platform-channel-handle=2184 --field-trial-handle=2028,i,5394899628148401723,17653549358450679821,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cmd.exe (PID: 2844 cmdline: "cmd.exe" /c schtasks /create /tn "PDF" /xml "C:\Users\user\AppData\Local\PDFInstaller\task.xml" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5388 cmdline: schtasks /create /tn "PDF" /xml "C:\Users\user\AppData\Local\PDFInstaller\task.xml" /f MD5: 48C2FE20575769DE916F48EF0676A965)

chrome.exe (PID: 4992 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --hide-crash-restore-bubble --restore-last-session --new-window "? starttt" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 3976 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 --field-trial-handle=1948,i,11845434080885918371,8269590411636599663,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Sigma Signatures

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks /create /tn "PDF" /xml "C:\Users\user\AppData\Local\PDFInstaller\task.xml" /f, CommandLine: schtasks /create /tn "PDF" /xml "C:\Users\user\AppData\Local\PDFInstaller\task.xml" /f, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "cmd.exe" /c schtasks /create /tn "PDF" /xml "C:\Users\user\AppData\Local\PDFInstaller\task.xml" /f, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2844, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn "PDF" /xml "C:\Users\user\AppData\Local\PDFInstaller\task.xml" /f, ProcessId: 5388, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE Trojan-Dropper.MSIL CnC Traffic - POST

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T00:35:38.386295+0100	2034341	1	A Network Trojan was detected	192.168.2.16	49760	188.114.96.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 92.7% probability

Compliance

Creates license or readme file

Source: C:\Users\user\Desktop\DocuFlex.exe

File created: C:\Users\user\AppData\Local\PDFInstaller\node_modules\signal_exit\LICENSE.txt

Jump to behavior

PE / OLE file has a valid certificate

Source: DocuFlex.exe

Static PE information: certificate valid

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.16:49712 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: DocuFlex.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: c:\ws\out\Release\node.pdb! source: DocuFlex.exe, 00000000.00000000.1168081456.0000000005985000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\ws\out\Release\node.pdb source: DocuFlex.exe, 00000000.00000000.1168081456.0000000005985000.00000002.00000001.01000000.00000003.sdmp

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2034341 - Severity 1 - ET MALWARE Trojan-Dropper.MSIL CnC Traffic - POST : 192.168.2.16:49760 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: GET /favicon.png HTTP/1.1Host: docu-flex.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /log HTTP/1.1Content-Type: text/plain; charset=utf-8Host: docu-flex.comContent-Length: 24Expect: 100-continue

Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.205.43
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.205.43
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.205.43
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.205.43
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 54.84.201.116
Source: unknown	TCP traffic detected without corresponding DNS query: 54.84.201.116
Source: unknown	TCP traffic detected without corresponding DNS query: 54.84.201.116
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.205.57
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.205.57
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.205.43
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.205.43
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /favicon.png HTTP/1.1Host: docu-flex.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /search?q=starttt&sourceid=chrome&ie=UTF-8 HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /search?q=starttt&sourceid=chrome&ie=UTF-8&sei=Whm1Z7GaM6Dc7_UPmK2Y2A0 HTTP/1.1Host: www.google.comConnection: keep-alivertt: 250downlink: 1.35sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://www.google.com/search?q=starttt&sourceid=chrome&ie=UTF-8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVcja2dRHkIKHhlRecSkGfgmJmT9DW8DEI8FFeiIjuQYzA3FDzI7XQ_YFA; NID=521=EpcDvCEfgKJF6wQ9H7HTw5D9eTN1IdCbBMlyTY6-JM7tAOhPchs4PDxfDYXm1Y2SV6idZMswmaaTwELJPoriyACtatXQOVduYAv1uKhgZdYuekHtf63xfkHBFxVYe-15wZvDfXNju1X4Xa88_oT2DanCSz8BOcSmlOnszRo4Mifx8kiS4inveDlns5pUlpBcWydP_NdQLHo20ho; SG_SS=*LhKaEkryAAaUZktqtGZ93Sjxdy6fv_4EADQBEArZ1Biv4UcgIkzspqneWcWDCX6biNekSp2TjAdEbZlCewyhNBzUy9jgr2Afjg8rkmbhPQAAADJtAAAACFcBB0EANdLzCTctUBG8HkjdtTOqigpUu8kNEqWMia6w5L_7sbuHvJYnVhByVyRlquuTvRJQ2LZLDvPWpgI6t9Gms8JXiEdv3lR2ExS_9PjF6yPHV5AI4meXKZxYxBVfiUjIdnSHEKramv9aIGAx1j2Rre2q6N0iPYBnFOgqM57eKGHJPvH_ZgEViFoOcVrzIDMOEtwL-uKqAnJdpu8r3yZ7yNqHgJy27HHHkKZ17pFOOKjgfC6aDX1QFTWxGzSs-G9Bu9NnqYUMH5aESw0zAeLBXSlToN_aBIZS1LEWRBkM70L35XK_3D6XNKHfA5whKCCkGgpZSOAVWxOPFNOgh-4ejSLpCYAwAFdg7SN6xH8UQlLeBhVHefhR9MQ6ZGS95IYLzZMA_nbFA5s8I7g3bauEXmAuUYfc97tZQMuItH6UOnN8u9mxnuXDdWPO-0jfD7eVhZrbqG1QD7cTNZi7Rw3e9RQg6gjtn-9PEcxlcjJQm1jjRVjaRtAwPCm6P3nu6U2O_lbAbMTk10r84p5JTF31yqNcdU3s1pjiTlk3VW883lGdfmJc_K2UKH9tPxP3Txqv6ZmOjNI6DhY-QBr1-yNSk_b24vAYuBWxxIQYtAbAENg6DkNxLddomM2KphPGhryTHi2mmQI9TIVF0JfAuCvr4o1VALfHZnQ4TR_Z1v-fcVPvxnMEdU6J9GvF4YACvypkDR7kAv3lOcPxSrTVxdJwob0-1ktAFMQGsEOiqds4odTH7x7lE4nzxKsjRDPsQoYl7PU8v8sJmct774_a7UgOw49cmEXwQE0oKIdMwyIGzUqU7OcLUBWmtWznMPjuBpVLE9Aa33bf
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /images/searchbox/desktop_searchbox_sprites318_hr.webp HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"rtt: 300sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"downlink: 1.5sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.google.com/search?q=starttt&sourceid=chrome&ie=UTF-8&sei=Whm1Z7GaM6Dc7_UPmK2Y2A0Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVcja2dRHkIKHhlRecSkGfgmJmT9DW8DEI8FFeiIjuQYzA3FDzI7XQ_YFA; NID=521=DwY8rbcZBIWJ_sj09IBEbo1H3QSa-Py1RRpNvjDy3RVKD4twZV0BqxAIkEBXFyKpLXWG2W2XSW-UxvLvh2H8DYRse5Oh5szuuk5kfG-kwAakTS_h5jeCuWC0aCHHLmnvEDLjqEXGJMWziEYDPu09MssRRRRCgROGxF_z_yV9viLikYm3T41qvLOirU_UdMnLEcub1KXNwooUFUrDLz6tT9iX2Y9yg7f1-4AALWpDwd8M
Source: global traffic	HTTP traffic detected: GET /xjs/_/ss/k=xjs.s.J-afBL40dv0.L.B1.O/am=AOIQIAQAAAACAABACAAVAAQAAAAAAAAAAAAAAAAAAAAAAAAASAAAAIAAAQAAAAAAgAAAAAARAAAAlEkAAAAAghMCIMAOAAAAAB-AQJwKgAAAAAAAQACABAAAAAAEAAIAJIQAAAAEAAAAQBAAAAACACwAACAAAAgAAAAIAwMAMAAAAAAIAEIIAgAQABgAAAdAAEgAACCAAxAAsBAEAGAAAIAAAAAKwEMwDICgAmAARwABAACACAAAAAAAAgCEAABgAFAAAAQIAAB6AAjABwAgCSIAQAgAAAFQCAAIAAAAASAAAACAIBAAAABaAACOgQEIAAAAAAAAABIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAEA/d=1/ed=1/br=1/rs=ACT90oHGymGXzmSL_ynnO9_AgzhVUzXrTQ/m=X3N0Bf,attn,cdos,gwc,hsm,jsa,mb4ZUb,cEt90b,SNUn3,qddgKe,sTsDMc,dtl0hd,eHDfl,YV5bee,d,csi HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"rtt: 300sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"downlink: 1.5sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVcja2dRHkIKHhlRecSkGfgmJmT9DW8DEI8FFeiIjuQYzA3FDzI7XQ_YFA; NID=521=DwY8rbcZBIWJ_sj09IBEbo1H3QSa-Py1RRpNvjDy3RVKD4twZV0BqxAIkEBXFyKpLXWG2W2XSW-UxvLvh2H8DYRse5Oh5szuuk5kfG-kwAakTS_h5jeCuWC0aCHHLmnvEDLjqEXGJMWziEYDPu09MssRRRRCgROGxF_z_yV9viLikYm3T41qvLOirU_UdMnLEcub1KXNwooUFUrDLz6tT9iX2Y9yg7f1-4AALWpDwd8M
Source: global traffic	HTTP traffic detected: GET /xjs/_/js/k=xjs.s.en.rVvGaTzUuak.2018.O/am=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAARQAAKAAAAAAAAAAJAAIAAAAAAAAACABAAAAAAAAAEBQACChAAABAAAAAAAJgAAAAIWAAEDAAAAAAAAACAAAAAAgQgA-_2HAwAAAAAAAAAAAAAIQAIAAAAAAABcAAAI8CHYAwIAAACAAAAAAIAAAAAAAEAAAACAAgAAAAAAAAAABAAAAAAAAAEAAAAgAAD0AQAAAAAAAAAAAAAACAAAAAAAgAFQAAAB_AAAAAAAAAAOAAAACBAAAACOgQEIAAAAAAAAwB4AHg8IhxQWAAAAAAAAAAAAAAAAgAAkCOZA-gsCEAAAAAAAAAAAAAAAAAAAAFIETVzeAIA/d=1/ed=1/dg=3/br=1/rs=ACT90oEb5gFabjsgECjDfOsDNg-rPiA7_Q/ee=ALeJib:B8gLwd;AfeaP:TkrAjf;Afksuc:wMx0R;BMxAGc:E5bFse;BgS6mb:fidj5d;BjwMce:cXX2Wb;CxXAWb:YyRLvc;DM55c:imLrKe;DMzTfb:fNTHad;DULqB:RKfG5c;Dkk6ge:JZmW9e;DpcR3d:zL72xf;Du7NI:C6zLgf;EABSZ:MXZt9d;ESrPQc:mNTJvc;EVNhjf:pw70Gc;EmZ2Bf:zr1jrb;EnlcNd:WeHg4;F9mqte:UoRcbe;Fmv9Nc:O1Tzwc;FqHJkd:yQamIb;G0KhTb:LIaoZ;G6wU6e:hezEbd;GEkGdd:e1RzQd;GleZL:J1A7Od;HMDDWe:G8QUdb;HoYVKb:PkDN7e;HqeXPd:cmbnH;IBADCc:RYquRb;IZrNqe:P8ha2c;IoGlCf:b5lhvb;JXJSm:ii1RGf;JXS8fb:Qj0suc;JbMT3:M25sS;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;KOxcK:OZqGte;KQzWid:ZMKkN;KcokUb:KiuZBf;KpRAue:Tia57b;LBgRLc:SdcwHb,XVMNvd;LEikZe:byfTOb,lsjVmc;LXA8b:q7OdKd;LsNahb:ucGLNb;Me32dd:MEeYgc;NPKaK:SdcwHb;NSEoX:lazG7b;Np8Qkd:Dpx6qc;Nyt6ic:jn2sGd;OgagBe:cNTe0;OohIYe:mpEAQb;Pjplud:EEDORb,PoEs9b;PqHfGe:im2cZe;Q1Ow7b:x5CSu;Q6C5kf:pfdZCe;QGR0gd:Mlhmy;Qw8Feb:jpavUe;R2kc8b:ALJqWb;R4IIIb:QWfeKf;R9Ulx:CR7Ufe;RCF5Sd:X1kBmd;RDNBlf:zPRCJb;SLtqO:Kh1xYe;SMDL4c:fTfGO,fTfGO;SNUn3:ZwDk9d,x8cHvb;ScI3Yc:e7Hzgb,e7Hzgb;ShpF6e:N0pvGc;SwCqAd:fXbCZc;SzQQ3e:dNhofb;TxfV6d:YORN0b;U96pRd:FsR04;UBKJZ:LGDJGb;UDrY1c:eps46d;UVmjEd:EesRsb;UVzb9c:IvPZ6d;Uvc8o:VDovNc;UyG7Kb:wQd0G;V2HTTe:RolTY;VGRfx:VFqbr;VN6jIc:ddQyuf;VOcgDe:YquhTb;VhA7bd:vAmQFf;VsAqSb:PGf2Re;VxQ32b:k0XsBb;WCEKNd:I46Hvd;WDGyFe:jcVOxd;Wfmdue:g3MJlb;XUezZ:sa7lqb;YIZmRd:A1yn5d;YV5bee:IvPZ6d;ZMvdv:PHFPjb;ZSH6tc:QAvyLe;ZWEUA:afR4Cf;Zen4yb:jMF88c;ZlOOMb:P0I0Ec;a56pNe:JEfCwb;aAJE9c:WHW6Ef;aCJ9tf:qKftvc;aZ61od:arTwJ;af0EJf:ghinId;bDXwRe:UsyOtc;bFZ6gf:RsDQqe;bcPXSc:gSZLJb;cEt90b:ws9Tlc;cFTWae:gT8qnd;coJ8e:KvoW8;dIoSBb:ZgGg9b;dLlj2:Qqt3Gf;daB6be:lMxGPd;dowIGb:ebZ3mb,ebZ3mb;dtl0hd:lLQWFe;eBAeSb:Ck63tb;eBZ5Nd:audvde;eHDfl:ofjVkb;eO3lse:nFClrf;euOXY:OZjbQ;flqRgb:ox2Q7c;g8nkx:U4MzKc;gaub4:TN6bMe;gtVSi:ekUOYd;h3MYod:cEt90b;hK67qb:QWEO5b;heHB1:sFczq;hjRo6e:F62sG;hlqGX:FWz1ic;hsLsYc:Vl118;hwoVHd:zw4U8c;iFQyKf:QIhFr,vfuNJf;imqimf:jKGL2e;iySzae:a6xXfd;jY0zg:Q6tNgc;k2Qxcb:XY51pe;kCQyJ:ueyPK;kbAm9d:MkHyGd;lOO0Vd:OTA3Ae;lbfkyf:MqGdUd;lkq0A:JyBE3e;mWzs9c:fz5ukf;mzW4Id:nYdusb;nAFL3:NTMZac,s39S4;nJw4Gd:dPFZH;oGtAuc:sOXFj;oSUNyd:fTfGO,fTfGO;oUlnpc:RagDlc;oVHXxc:HODIOb;okUaUd:wItadb;pDHPSc:BWn2ed;pKJiXd:VCenhc;pNsl2d:j9Yuyc;pXdRYb:JKoKVe;pj82le:ww04Df;qGV2uc:HHi04c;qZx2Fc:j0xrE;qaS3gd:yiLg6e;qafBPd:sgY6Zb,yDVVkb;qavrXe:zQzcXe;qddgKe:d7YSfd,x4FYXe;rQSrae:C6D5Fc;rdexKf:FEkKD;ropkZ:UT1DG;sTsDMc:kHVSUb;sZmdvc:rdGEfc;slIQ5d:pnOULd;tGdRVe:CS1mob;tH4IIe:Ymry6;tosKvd:ZCqP3;trZL0b:qY8PFe;uknmt:GkPrzb;uuQkY:u2V3ud;vEYCNb:FaqsVd;vGrMZ:lPJJ0c;vfVwPd:lcrkwe;w3bZCb:ZPGaIb;w4rSdf:XKiZ9;w9w86d:dt4g2b;wQlYve:aLUfP;wR5FRb:O1Gjze,TtcO
Source: global traffic	HTTP traffic detected: GET /pagead/1p-conversion/16521530460/?gad_source=1&adview_type=4&adview_query_id=CPnZr9GxzosDFQCjgwcdc6U7BA HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"rtt: 300sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"downlink: 1.5sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAttribution-Reporting-Eligible: trigger, event-source=navigation-sourceReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVcja2dRHkIKHhlRecSkGfgmJmT9DW8DEI8FFeiIjuQYzA3FDzI7XQ_YFA; NID=521=DwY8rbcZBIWJ_sj09IBEbo1H3QSa-Py1RRpNvjDy3RVKD4twZV0BqxAIkEBXFyKpLXWG2W2XSW-UxvLvh2H8DYRse5Oh5szuuk5kfG-kwAakTS_h5jeCuWC0aCHHLmnvEDLjqEXGJMWziEYDPu09MssRRRRCgROGxF_z_yV9viLikYm3T41qvLOirU_UdMnLEcub1KXNwooUFUrDLz6tT9iX2Y9yg7f1-4AALWpDwd8M
Source: global traffic	HTTP traffic detected: GET /verify/ABY0gVta9JEzQ8ZtTeqom8kYXjB-f_EwIvFGz9bsT-GSyHH7FjvY6BZwAbpPTL12wTkvYLxrPMEDi45aRv3Rd910N3JpB9-5tkCxUJD0FokQRCB7lg HTTP/1.1Host: id.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVcja2dRHkIKHhlRecSkGfgmJmT9DW8DEI8FFeiIjuQYzA3FDzI7XQ_YFA; NID=521=DwY8rbcZBIWJ_sj09IBEbo1H3QSa-Py1RRpNvjDy3RVKD4twZV0BqxAIkEBXFyKpLXWG2W2XSW-UxvLvh2H8DYRse5Oh5szuuk5kfG-kwAakTS_h5jeCuWC0aCHHLmnvEDLjqEXGJMWziEYDPu09MssRRRRCgROGxF_z_yV9viLikYm3T41qvLOirU_UdMnLEcub1KXNwooUFUrDLz6tT9iX2Y9yg7f1-4AALWpDwd8M
Source: global traffic	HTTP traffic detected: GET /images/nav_logo321.webp HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"rtt: 300sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"downlink: 1.5sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.google.com/search?q=starttt&sourceid=chrome&ie=UTF-8&sei=Whm1Z7GaM6Dc7_UPmK2Y2A0Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVcja2dRHkIKHhlRecSkGfgmJmT9DW8DEI8FFeiIjuQYzA3FDzI7XQ_YFA; NID=521=DwY8rbcZBIWJ_sj09IBEbo1H3QSa-Py1RRpNvjDy3RVKD4twZV0BqxAIkEBXFyKpLXWG2W2XSW-UxvLvh2H8DYRse5Oh5szuuk5kfG-kwAakTS_h5jeCuWC0aCHHLmnvEDLjqEXGJMWziEYDPu09MssRRRRCgROGxF_z_yV9viLikYm3T41qvLOirU_UdMnLEcub1KXNwooUFUrDLz6tT9iX2Y9yg7f1-4AALWpDwd8M
Source: global traffic	HTTP traffic detected: GET /vi/5pejh45JcSU/mqdefault.jpg?sqp=-oaymwEFCJQBEFM&rs=AMzJL3mIJXwMIoq3AodQXWVfv_dBlMnOUw HTTP/1.1Host: i.ytimg.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /vi/bZaOtydCOlc/mqdefault.jpg?sqp=-oaymwEFCJQBEFM&rs=AMzJL3luB9JX8X5kPT_yXpBvBHE3YFVM4A HTTP/1.1Host: i.ytimg.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /compressiontest/gzip.html HTTP/1.1Host: www.google.comConnection: keep-alivertt: 250downlink: 1.35sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVcja2dRHkIKHhlRecSkGfgmJmT9DW8DEI8FFeiIjuQYzA3FDzI7XQ_YFA; NID=521=DwY8rbcZBIWJ_sj09IBEbo1H3QSa-Py1RRpNvjDy3RVKD4twZV0BqxAIkEBXFyKpLXWG2W2XSW-UxvLvh2H8DYRse5Oh5szuuk5kfG-kwAakTS_h5jeCuWC0aCHHLmnvEDLjqEXGJMWziEYDPu09MssRRRRCgROGxF_z_yV9viLikYm3T41qvLOirU_UdMnLEcub1KXNwooUFUrDLz6tT9iX2Y9yg7f1-4AALWpDwd8M; GZ=Z=0
Source: global traffic	HTTP traffic detected: GET /complete/search?q&cp=0&client=gws-wiz-serp&xssi=t&gs_pcrt=2&hl=en&authuser=0&pq=starttt&psi=Wxm1Z82XGIWilQe77s3oDQ.1739921756765&dpr=1&nolsbt=1 HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"rtt: 300sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"downlink: 1.5sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVcja2dRHkIKHhlRecSkGfgmJmT9DW8DEI8FFeiIjuQYzA3FDzI7XQ_YFA; NID=521=DwY8rbcZBIWJ_sj09IBEbo1H3QSa-Py1RRpNvjDy3RVKD4twZV0BqxAIkEBXFyKpLXWG2W2XSW-UxvLvh2H8DYRse5Oh5szuuk5kfG-kwAakTS_h5jeCuWC0aCHHLmnvEDLjqEXGJMWziEYDPu09MssRRRRCgROGxF_z_yV9viLikYm3T41qvLOirU_UdMnLEcub1KXNwooUFUrDLz6tT9iX2Y9yg7f1-4AALWpDwd8M; GZ=Z=0
Source: global traffic	HTTP traffic detected: GET /complete/search?q=starttt&cp=0&client=gws-wiz-serp&xssi=t&gs_pcrt=3&hl=en&authuser=0&pq=starttt&psi=Wxm1Z82XGIWilQe77s3oDQ.1739921756765&dpr=1&ofp=EAE HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"rtt: 300sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"downlink: 1.5sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVcja2dRHkIKHhlRecSkGfgmJmT9DW8DEI8FFeiIjuQYzA3FDzI7XQ_YFA; NID=521=DwY8rbcZBIWJ_sj09IBEbo1H3QSa-Py1RRpNvjDy3RVKD4twZV0BqxAIkEBXFyKpLXWG2W2XSW-UxvLvh2H8DYRse5Oh5szuuk5kfG-kwAakTS_h5jeCuWC0aCHHLmnvEDLjqEXGJMWziEYDPu09MssRRRRCgROGxF_z_yV9viLikYm3T41qvLOirU_UdMnLEcub1KXNwooUFUrDLz6tT9iX2Y9yg7f1-4AALWpDwd8M; GZ=Z=0
Source: global traffic	HTTP traffic detected: GET /xjs/_/js/k=xjs.s.en.rVvGaTzUuak.2018.O/ck=xjs.s.J-afBL40dv0.L.B1.O/am=AOIQIAQAAAACAABACAAVAAQAAAAAAAAAAAAAAAAAAAAAAAAASAAAAIAAAQAAAAAAgAAAAARRAAKAlEkAAAAAgpMCIMAOAAAAAB-ARJwKgAAAAAEBQACChAAABAAEAAIAJoQAAAIWAAEDQBAAAAACACwAACAAgQgA-_2PAwMAMAAAAAAIAEIIQgIQABgAAAdcAEgI8CHYAxIAsBCEAGAAAIAAAAAKwEMwDICgAmAARwABAACADAAAAAAAAgGEAABgAFD0AQQIAAB6AAjABwAgCSIAQAgAgAFQCAAJ_AAAASAAAACOIBAACBBaAACOgQEIAAAAAAAAwB4AHg8IhxQWAAAAAAAAAAAAAAAAgAAkCOZA-gsCEAAAAAAAAAAAAAAAAAAAAFIETVzeAIA/d=0/dg=0/br=1/ujg=1/rs=ACT90oGKARqzuXTr1-twHgnDnoV1cean1Q/m=UMk45c,bplExb,nMfLA,O19q8,xMHx5e,R6UkWb,tW711b,UX8qee,tDA9G,sy4t0,syz1,syyz,sy14s,syzf,syyy,syze,syz2,syz3,sy3ax,sy3ay,sy3az,sy30r,sy12q,sy2v1,syr7,sy2uy,sy2uv,sy16e,sy14p,sy14q,sy14r,sy3if,sy19a,sy14o,sy139,sy13a,sy137,sy135,sy3b0,sy30p,sy199,sy155,sy154,sy14e,sy156,sy13s,sy13q,sy14d,Eox39d,sy80,sy7z,syip,syil,syim,syik,syiy,syiw,syiv,syiu,syiq,syij,syc9,syee,syef,sycb,sycq,syci,sycn,sycm,sycl,syck,sych,syc6,sycf,sycg,syco,syct,sycr,sycc,syc1,syca,syc7,sycu,syc5,sybv,sybs,sybd,syb0,sybp,syag,syd7,syb1,syeh,syec,sye0,sye4,sydv,sydu,sydp,sydn,syaf,syae,sydo,sydl,sydk,sydt,sydq,sydi,sydh,sydg,syde,sydd,sydf,syda,syd9,syat,syd6,sybm,sybi,syb2,sybg,syb5,syb4,sybc,syba,syb9,syb3,syai,sya6,sydb,sycx,sycy,sycz,sybu,syby,sydr,syi9,syii,syie,syif,sy8w,sy8s,sy8v,syib,syge,syig,syia,syi8,syi5,syi4,syi3,syi1,sy8z,uxMpU,syht,syer,sydx,syen,syep,syei,syeq,syek,sybx,syd0,syel,syed,sy9m,sy9h,sy9g,sy9f,sy9e,Mlhmy,QGR0gd,OTA3Ae,sy81,EEDORb,PoEs9b,Pjplud,sy9a,sy96,sy94,A1yn5d,YIZmRd,uY49fb,sy8p,sy8n,sy8o,sy8m,sy8k,byfTOb,lsjVmc,LEikZe,kWgXee,ovKuLd,sgY6Zb,sy9s,sy9q,sy8y,xUdipf,NwH0H?xjs=s3 HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"rtt: 300sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"downlink: 1.5sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVcja2dRHkIKHhlRecSkGfgmJmT9DW8DEI8FFeiIjuQYzA3FDzI7XQ_YFA; NID=521=DwY8rbcZBIWJ_sj09IBEbo1H3QSa-Py1RRpNvjDy3RVKD4twZV0BqxAIkEBXFyKpLXWG2W2XSW-UxvLvh2H8DYRse5Oh5szuuk5kfG-kwAakTS_h5jeCuWC0aCHHLmnvEDLjqEXGJMWziEYDPu09MssRRRRCgROGxF_z_yV9viLikYm3T41qvLOirU_UdMnLEcub1KXNwooUFUrDLz6tT9iX2Y9yg7f1-4AALWpDwd8M; GZ=Z=0
Source: global traffic	HTTP traffic detected: GET /xjs/_/js/k=xjs.s.en.rVvGaTzUuak.2018.O/ck=xjs.s.J-afBL40dv0.L.B1.O/am=AOIQIAQAAAACAABACAAVAAQAAAAAAAAAAAAAAAAAAAAAAAAASAAAAIAAAQAAAAAAgAAAAARRAAKAlEkAAAAAgpMCIMAOAAAAAB-ARJwKgAAAAAEBQACChAAABAAEAAIAJoQAAAIWAAEDQBAAAAACACwAACAAgQgA-_2PAwMAMAAAAAAIAEIIQgIQABgAAAdcAEgI8CHYAxIAsBCEAGAAAIAAAAAKwEMwDICgAmAARwABAACADAAAAAAAAgGEAABgAFD0AQQIAAB6AAjABwAgCSIAQAgAgAFQCAAJ_AAAASAAAACOIBAACBBaAACOgQEIAAAAAAAAwB4AHg8IhxQWAAAAAAAAAAAAAAAAgAAkCOZA-gsCEAAAAAAAAAAAAAAAAAAAAFIETVzeAIA/d=0/dg=0/br=1/ujg=1/rs=ACT90oGKARqzuXTr1-twHgnDnoV1cean1Q/m=gychg,ZfAoz,yDVVkb,qafBPd,ebZ3mb,dowIGb,sy5of,sy4rh,DpX64d,uKlGbf,sy5og,EufiNb,sy5hu,sy3op,sy2b0,sytt,tIj4fb,sy2bs,w4UyN,sy1a9,sy19c,sykw,syjs,sy12r,Mbif2,ipWLfe,sy1ab,QVaUhf,sy4tt,sy4ts,sy4tr,sy4tq,SJpD2c,sy81d,sy2i5,sy142,sy2hz,sy2c4,syux,syg6,sy810,sy7y5,sy15p,sy15j,sy15c,sy15e,sy148,sy147,sy13p,sy149,sy143,sy33e,syyu,bEGPrc,sy1oj,sy81f,sy81e,mBG1hd,sy60x,mscaJf,sy6ed,sGwFce,HxbScf,eAR4Hf,sy6ee,sy4qx,h3zgVb,lRePd,sy4tn,nN2e1e,sy5q6,sy6ef,sy24r,IRJCef,sy81g,sy5q7,scFHte,pr5okc,IFqxxc,sy4to,OXpAmf,sy6eq,sy4qr,sy4qq,sy1nq,sy1nr,sy16n,sy14a,sy140,sy141,sy13w,sy13x,sy13u,sy13t,sy13v,sy104,sy105,sy103,sy106,sy102,sy107,syzu,syzt,syzv,sy108,sy109,GElbSc,syty,sytv,sytu,syts,DPreE,sy6ea,xdV1C,sy5o0,HYSCof,sy8ag,sy6b1,sy1rt,sy1mw,KSk4yc,ma4xG,sy173,sy171,sy172,sy176,sy16z,sy170,syua,syub,sygd,sygc,syg3,syg2,syga,syue,syuf,sy174,syu6,E9M6Uc,syug,NO84gd,b5lhvb,IoGlCf,syu1,syu0,sytz,C8HsP,syul,syuj,syud,gOTY1,syvs,syvo,syvq,syvp,syvd,syvg,syvt,syvn,syvl,syvk,syvi,syv5,syv8,syv7,syvb,syva,syv9,syv3,syuu,syv6,syus,syur,syut,syuq,syvm,PbHo4e,sy17e,L1AAkb,hezEbd,sy79p,sy3rs,SC7lYd,sy49x,msmzHf,sy7fu,pHXghd?xjs=s3 HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"rtt: 300sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"downlink: 1.5sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVcja2dRHkIKHhlRecSkGfgmJmT9DW8DEI8FFeiIjuQYzA3FDzI7XQ_YFA; NID=521=DwY8rbcZBIWJ_sj09IBEbo1H3QSa-Py1RRpNvjDy3RVKD4twZV0BqxAIkEBXFyKpLXWG2W2XSW-UxvLvh2H8DYRse5Oh5szuuk5kfG-kwAakTS_h5jeCuWC0aCHHLmnvEDLjqEXGJMWziEYDPu09MssRRRRCgROGxF_z_yV9viLikYm3T41qvLOirU_UdMnLEcub1KXNwooUFUrDLz6tT9iX2Y9yg7f1-4AALWpDwd8M; GZ=Z=0
Source: global traffic	HTTP traffic detected: GET /xjs/_/js/k=xjs.s.en.rVvGaTzUuak.2018.O/ck=xjs.s.J-afBL40dv0.L.B1.O/am=AOIQIAQAAAACAABACAAVAAQAAAAAAAAAAAAAAAAAAAAAAAAASAAAAIAAAQAAAAAAgAAAAARRAAKAlEkAAAAAgpMCIMAOAAAAAB-ARJwKgAAAAAEBQACChAAABAAEAAIAJoQAAAIWAAEDQBAAAAACACwAACAAgQgA-_2PAwMAMAAAAAAIAEIIQgIQABgAAAdcAEgI8CHYAxIAsBCEAGAAAIAAAAAKwEMwDICgAmAARwABAACADAAAAAAAAgGEAABgAFD0AQQIAAB6AAjABwAgCSIAQAgAgAFQCAAJ_AAAASAAAACOIBAACBBaAACOgQEIAAAAAAAAwB4AHg8IhxQWAAAAAAAAAAAAAAAAgAAkCOZA-gsCEAAAAAAAAAAAAAAAAAAAAFIETVzeAIA/d=0/dg=0/br=1/ujg=1/rs=ACT90oGKARqzuXTr1-twHgnDnoV1cean1Q/m=G6wU6e,sy18d,sy1b5,sy18c,sy1b4,sy1b3,Wn3aEc,sy7r9,sy6hy,sy4ks,sy40d,sy335,syzr,Um3BXb,K02r3e,sy40f,sy40e,sy1b9,sy1bc,sy153,qKrDxc,sy5q5,sy1qi,Z2vhDb,sy6i0,syx9,XN4wKf?xjs=s3 HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"rtt: 300sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"downlink: 1.5sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVcja2dRHkIKHhlRecSkGfgmJmT9DW8DEI8FFeiIjuQYzA3FDzI7XQ_YFA; NID=521=DwY8rbcZBIWJ_sj09IBEbo1H3QSa-Py1RRpNvjDy3RVKD4twZV0BqxAIkEBXFyKpLXWG2W2XSW-UxvLvh2H8DYRse5Oh5szuuk5kfG-kwAakTS_h5jeCuWC0aCHHLmnvEDLjqEXGJMWziEYDPu09MssRRRRCgROGxF_z_yV9viLikYm3T41qvLOirU_UdMnLEcub1KXNwooUFUrDLz6tT9iX2Y9yg7f1-4AALWpDwd8M; GZ=Z=0
Source: global traffic	HTTP traffic detected: GET /xjs/_/js/md=2/k=xjs.s.en.rVvGaTzUuak.2018.O/am=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAARQAAKAAAAAAAAAAJAAIAAAAAAAAACABAAAAAAAAAEBQACChAAABAAAAAAAJgAAAAIWAAEDAAAAAAAAACAAAAAAgQgA-_2HAwAAAAAAAAAAAAAIQAIAAAAAAABcAAAI8CHYAwIAAACAAAAAAIAAAAAAAEAAAACAAgAAAAAAAAAABAAAAAAAAAEAAAAgAAD0AQAAAAAAAAAAAAAACAAAAAAAgAFQAAAB_AAAAAAAAAAOAAAACBAAAACOgQEIAAAAAAAAwB4AHg8IhxQWAAAAAAAAAAAAAAAAgAAkCOZA-gsCEAAAAAAAAAAAAAAAAAAAAFIETVzeAIA/rs=ACT90oEb5gFabjsgECjDfOsDNg-rPiA7_Q HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"rtt: 300sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"downlink: 1.5sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVcja2dRHkIKHhlRecSkGfgmJmT9DW8DEI8FFeiIjuQYzA3FDzI7XQ_YFA; NID=521=DwY8rbcZBIWJ_sj09IBEbo1H3QSa-Py1RRpNvjDy3RVKD4twZV0BqxAIkEBXFyKpLXWG2W2XSW-UxvLvh2H8DYRse5Oh5szuuk5kfG-kwAakTS_h5jeCuWC0aCHHLmnvEDLjqEXGJMWziEYDPu09MssRRRRCgROGxF_z_yV9viLikYm3T41qvLOirU_UdMnLEcub1KXNwooUFUrDLz6tT9iX2Y9yg7f1-4AALWpDwd8M; GZ=Z=0
Source: global traffic	HTTP traffic detected: GET /client_204?atyp=i&biw=1034&bih=870&ei=Wxm1Z82XGIWilQe77s3oDQ&opi=89978449 HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"rtt: 300sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"downlink: 1.5sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVcja2dRHkIKHhlRecSkGfgmJmT9DW8DEI8FFeiIjuQYzA3FDzI7XQ_YFA; GZ=Z=0; NID=521=SZe-cJTgVVkm6EE901uz0AP2vBUgwhoYifrRDZ5MvCI_a6ZOfOjDvcErI8QfZgALvfn-TnozDpRQP61v2PWg4Y6cRSMKYOvsI3lYFdmxSeNaNb5hF9CwaylhUc9xEtNL9m5Zo3uWdHh5eq6oZIn3wXlRQWhSj22_eB14KfBQ1dN4glklCOv__0NeMbvqpmd2dDlKm-QZ5DQdL98qOZf6IZnkSKeoe7Aw7MlYwTNoetZU4pC3YmAA1dKhyg
Source: global traffic	HTTP traffic detected: GET /xjs/_/js/k=xjs.s.en.rVvGaTzUuak.2018.O/ck=xjs.s.J-afBL40dv0.L.B1.O/am=AOIQIAQAAAACAABACAAVAAQAAAAAAAAAAAAAAAAAAAAAAAAASAAAAIAAAQAAAAAAgAAAAARRAAKAlEkAAAAAgpMCIMAOAAAAAB-ARJwKgAAAAAEBQACChAAABAAEAAIAJoQAAAIWAAEDQBAAAAACACwAACAAgQgA-_2PAwMAMAAAAAAIAEIIQgIQABgAAAdcAEgI8CHYAxIAsBCEAGAAAIAAAAAKwEMwDICgAmAARwABAACADAAAAAAAAgGEAABgAFD0AQQIAAB6AAjABwAgCSIAQAgAgAFQCAAJ_AAAASAAAACOIBAACBBaAACOgQEIAAAAAAAAwB4AHg8IhxQWAAAAAAAAAAAAAAAAgAAkCOZA-gsCEAAAAAAAAAAAAAAAAAAAAFIETVzeAIA/d=0/dg=0/br=1/ujg=1/rs=ACT90oGKARqzuXTr1-twHgnDnoV1cean1Q/m=sb_wiz,aa,abd,sy3a7,syy9,syy8,syy0,syy7,syya,async,sy17u,bgd,sy84r,foot,sy24p,kyn,sy1yv,sy2aq,lli,sf,syxw,syxx,sy7mm,sonic,sy1mk,syha,sy3pc,sy16v,sy1s5,sy1s6,spch,tl,sywm,sywl,rtH1bd,sy4aa,sy4a8,syy3,syy5,sywv,syws,sy4a9,syzl,EkevXb,SMquOb,EiD4Fe,sywt,sywp,sywr,d5EhJe,syyw,sy1oe,sy1od,sy1oc,sy1ob,sy1oa,sy1o9,sy1o8,sy1o4,sy1ek,sy1em,sy1el,sy1ej,syx3,syx0,syx5,T1HOxc,syx1,sywz,zx30Y,sy1oi,sy1oh,sy1o1,Wo3n8,sy29s,NEW1Qc,xBbsrc,sy29u,IX53Tb,sy8bu,sy8bv,sy6kg,ND0kmf,sy661,sy16a,zGLm3b,sy4cd,sy4c5,sy4c7,sy3sr,sy1i4,sy4cc,sy4cr,sy4cq,sy4cp,sy4c2,sy4co,KHourd,sy4ug,T5VV,sy3rp,aDVF7,sy667,rhYw1b,sy4u7,FzTajd,IhkWbc,sy4ua,sy4gc,oPmHrb,sy2ao,sy2bf,Tia57b,KpRAue,sy2av,sy2b2,sy2az,sy2bg,NyeqM,sy4ci,sy4ch,sy4cb,O9SqHb,M6QgBb,sy1be,sy1bd,sy14c,syu8,EO13pd,sy3qc,I9y8sd,MpJwZc,UUJqVe,sy84,sOXFj,sy83,s39S4,oGtAuc,NTMZac,nAFL3,sy8i,sy8h,q0xTif,y05UD,sy8cf,sy4qw,sy1v1,sy2ml,sy1tc,sy2js,sy1tt,sy1ei,sy1tl,sy1eh,sy1eg,sy1bv,sy1f2,sy2jr,sy1tq,sy16f,sy1tr,sy1cn,sy1te,sy1tp,sy1tf,sy1tm,sy2jt,sy1tx,sy1bw,syr8,sy2lr,sy2eo,sy14u,sy2lu,sy1tb,sy2k3,sy1z5,sy2jp,sy2li,sy1th,sy2lj,sy1ho,sy2ay,sy1w1,sy1w2,epYOx,RagDlc?xjs=s3 HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"rtt: 300sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"downlink: 1.5sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVcja2dRHkIKHhlRecSkGfgmJmT9DW8DEI8FFeiIjuQYzA3FDzI7XQ_YFA; GZ=Z=0; NID=521=SZe-cJTgVVkm6EE901uz0AP2vBUgwhoYifrRDZ5MvCI_a6ZOfOjDvcErI8QfZgALvfn-TnozDpRQP61v2PWg4Y6cRSMKYOvsI3lYFdmxSeNaNb5hF9CwaylhUc9xEtNL9m5Zo3uWdHh5eq6oZIn3wXlRQWhSj22_eB14KfBQ1dN4glklCOv__0NeMbvqpmd2dDlKm-QZ5DQdL98qOZf6IZnkSKeoe7Aw7MlYwTNoetZU4pC3YmAA1dKhyg
Source: global traffic	HTTP traffic detected: GET /xjs/_/js/k=xjs.s.en.rVvGaTzUuak.2018.O/ck=xjs.s.J-afBL40dv0.L.B1.O/am=AOIQIAQAAAACAABACAAVAAQAAAAAAAAAAAAAAAAAAAAAAAAASAAAAIAAAQAAAAAAgAAAAARRAAKAlEkAAAAAgpMCIMAOAAAAAB-ARJwKgAAAAAEBQACChAAABAAEAAIAJoQAAAIWAAEDQBAAAAACACwAACAAgQgA-_2PAwMAMAAAAAAIAEIIQgIQABgAAAdcAEgI8CHYAxIAsBCEAGAAAIAAAAAKwEMwDICgAmAARwABAACADAAAAAAAAgGEAABgAFD0AQQIAAB6AAjABwAgCSIAQAgAgAFQCAAJ_AAAASAAAACOIBAACBBaAACOgQEIAAAAAAAAwB4AHg8IhxQWAAAAAAAAAAAAAAAAgAAkCOZA-gsCEAAAAAAAAAAAAAAAAAAAAFIETVzeAIA/d=0/dg=0/br=1/ujg=1/rs=ACT90oGKARqzuXTr1-twHgnDnoV1cean1Q/m=sy8qk,sy7eb,HWk0Gf,sy185,syy6,C8ffD,sy187,sy189,ZUBru,sy18b,sy18a,sy188,rTuANe,sy40c,sy100,yfZcPd,syzn,syzm,Dpem5c,sy184,sy17y,sy17z,sy11h,Fy1Pv?xjs=s3 HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"rtt: 300sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"downlink: 1.5sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVcja2dRHkIKHhlRecSkGfgmJmT9DW8DEI8FFeiIjuQYzA3FDzI7XQ_YFA; GZ=Z=0; NID=521=SZe-cJTgVVkm6EE901uz0AP2vBUgwhoYifrRDZ5MvCI_a6ZOfOjDvcErI8QfZgALvfn-TnozDpRQP61v2PWg4Y6cRSMKYOvsI3lYFdmxSeNaNb5hF9CwaylhUc9xEtNL9m5Zo3uWdHh5eq6oZIn3wXlRQWhSj22_eB14KfBQ1dN4glklCOv__0NeMbvqpmd2dDlKm-QZ5DQdL98qOZf6IZnkSKeoe7Aw7MlYwTNoetZU4pC3YmAA1dKhyg
Source: global traffic	HTTP traffic detected: GET /xjs/_/ss/k=xjs.s.J-afBL40dv0.L.B1.O/am=AOIQIAQAAAACAABACAAVAAQAAAAAAAAAAAAAAAAAAAAAAAAASAAAAIAAAQAAAAAAgAAAAAARAAAAlEkAAAAAghMCIMAOAAAAAB-AQJwKgAAAAAAAQACABAAAAAAEAAIAJIQAAAAEAAAAQBAAAAACACwAACAAAAgAAAAIAwMAMAAAAAAIAEIIAgAQABgAAAdAAEgAACCAAxAAsBAEAGAAAIAAAAAKwEMwDICgAmAARwABAACACAAAAAAAAgCEAABgAFAAAAQIAAB6AAjABwAgCSIAQAgAAAFQCAAIAAAAASAAAACAIBAAAABaAACOgQEIAAAAAAAAABIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAEA/d=0/br=1/rs=ACT90oHGymGXzmSL_ynnO9_AgzhVUzXrTQ/m=symz,sy1ng?xjs=s4 HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"rtt: 300sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"downlink: 1.5sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVcja2dRHkIKHhlRecSkGfgmJmT9DW8DEI8FFeiIjuQYzA3FDzI7XQ_YFA; GZ=Z=0; NID=521=SZe-cJTgVVkm6EE901uz0AP2vBUgwhoYifrRDZ5MvCI_a6ZOfOjDvcErI8QfZgALvfn-TnozDpRQP61v2PWg4Y6cRSMKYOvsI3lYFdmxSeNaNb5hF9CwaylhUc9xEtNL9m5Zo3uWdHh5eq6oZIn3wXlRQWhSj22_eB14KfBQ1dN4glklCOv__0NeMbvqpmd2dDlKm-QZ5DQdL98qOZf6IZnkSKeoe7Aw7MlYwTNoetZU4pC3YmAA1dKhyg
Source: global traffic	HTTP traffic detected: GET /xjs/_/js/k=xjs.s.en.rVvGaTzUuak.2018.O/am=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAARQAAKAAAAAAAAAAJAAIAAAAAAAAACABAAAAAAAAAEBQACChAAABAAAAAAAJgAAAAIWAAEDAAAAAAAAACAAAAAAgQgA-_2HAwAAAAAAAAAAAAAIQAIAAAAAAABcAAAI8CHYAwIAAACAAAAAAIAAAAAAAEAAAACAAgAAAAAAAAAABAAAAAAAAAEAAAAgAAD0AQAAAAAAAAAAAAAACAAAAAAAgAFQAAAB_AAAAAAAAAAOAAAACBAAAACOgQEIAAAAAAAAwB4AHg8IhxQWAAAAAAAAAAAAAAAAgAAkCOZA-gsCEAAAAAAAAAAAAAAAAAAAAFIETVzeAIA/d=0/dg=0/br=1/rs=ACT90oEb5gFabjsgECjDfOsDNg-rPiA7_Q/m=sy2aa,P10Owf,sy1pl,sy1ou,WlNQGd,sy4k3,sy4in,nabPbb,sy1ot,sy1or,symz,sy1ng,CnSW2d,sy81j,sy5o6,sy1i6,syzi,syzg,syzh,sy1ps,sy1pq,VD4Qme,syhu,BYwJlf,sy19b,sy198,sy197,VEbNoe,syvy,UBXHI,sy18h,sy18g,Dq2Yjb,sy18k,sy18j,sy18i,NVlnE,sy17w,sy17v,qmdEUe,sy18m,sy18l,sy186,UqGwg,sy1re,fiAufb,sy1rd,sy1rc,q00IXe,sy1ri,sy1rh,sy1rf,Fh0l0,sy4cz,qcH9Lc,sy4c4,sy4ce,gCngrf,pjDTFb,sy4cn,sy2qo,KgxeNb,sy4cj,khkNpe?xjs=s4 HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"rtt: 300sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"downlink: 1.5sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVcja2dRHkIKHhlRecSkGfgmJmT9DW8DEI8FFeiIjuQYzA3FDzI7XQ_YFA; GZ=Z=0; NID=521=SZe-cJTgVVkm6EE901uz0AP2vBUgwhoYifrRDZ5MvCI_a6ZOfOjDvcErI8QfZgALvfn-TnozDpRQP61v2PWg4Y6cRSMKYOvsI3lYFdmxSeNaNb5hF9CwaylhUc9xEtNL9m5Zo3uWdHh5eq6oZIn3wXlRQWhSj22_eB14KfBQ1dN4glklCOv__0NeMbvqpmd2dDlKm-QZ5DQdL98qOZf6IZnkSKeoe7Aw7MlYwTNoetZU4pC3YmAA1dKhyg
Source: global traffic	HTTP traffic detected: GET /xjs/_/js/k=xjs.s.en.rVvGaTzUuak.2018.O/am=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAARQAAKAAAAAAAAAAJAAIAAAAAAAAACABAAAAAAAAAEBQACChAAABAAAAAAAJgAAAAIWAAEDAAAAAAAAACAAAAAAgQgA-_2HAwAAAAAAAAAAAAAIQAIAAAAAAABcAAAI8CHYAwIAAACAAAAAAIAAAAAAAEAAAACAAgAAAAAAAAAABAAAAAAAAAEAAAAgAAD0AQAAAAAAAAAAAAAACAAAAAAAgAFQAAAB_AAAAAAAAAAOAAAACBAAAACOgQEIAAAAAAAAwB4AHg8IhxQWAAAAAAAAAAAAAAAAgAAkCOZA-gsCEAAAAAAAAAAAAAAAAAAAAFIETVzeAIA/d=0/dg=0/br=1/rs=ACT90oEb5gFabjsgECjDfOsDNg-rPiA7_Q/m=sy1o2,sy1nz,gSZvdb?xjs=s4 HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"rtt: 300sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"downlink: 1.5sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVcja2dRHkIKHhlRecSkGfgmJmT9DW8DEI8FFeiIjuQYzA3FDzI7XQ_YFA; GZ=Z=0; NID=521=SZe-cJTgVVkm6EE901uz0AP2vBUgwhoYifrRDZ5MvCI_a6ZOfOjDvcErI8QfZgALvfn-TnozDpRQP61v2PWg4Y6cRSMKYOvsI3lYFdmxSeNaNb5hF9CwaylhUc9xEtNL9m5Zo3uWdHh5eq6oZIn3wXlRQWhSj22_eB14KfBQ1dN4glklCOv__0NeMbvqpmd2dDlKm-QZ5DQdL98qOZf6IZnkSKeoe7Aw7MlYwTNoetZU4pC3YmAA1dKhyg
Source: global traffic	HTTP traffic detected: GET /async/bgasy?ei=Wxm1Z82XGIWilQe77s3oDQ&opi=89978449&yv=3&cs=0&async=_fmt:jspb HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"rtt: 300sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36X-DoS-Behavior: Embedsec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"downlink: 1.5sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVcja2dRHkIKHhlRecSkGfgmJmT9DW8DEI8FFeiIjuQYzA3FDzI7XQ_YFA; GZ=Z=0; NID=521=SZe-cJTgVVkm6EE901uz0AP2vBUgwhoYifrRDZ5MvCI_a6ZOfOjDvcErI8QfZgALvfn-TnozDpRQP61v2PWg4Y6cRSMKYOvsI3lYFdmxSeNaNb5hF9CwaylhUc9xEtNL9m5Zo3uWdHh5eq6oZIn3wXlRQWhSj22_eB14KfBQ1dN4glklCOv__0NeMbvqpmd2dDlKm-QZ5DQdL98qOZf6IZnkSKeoe7Aw7MlYwTNoetZU4pC3YmAA1dKhyg
Source: global traffic	HTTP traffic detected: GET /client_204?cs=1&opi=89978449 HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"rtt: 300sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"downlink: 1.5sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVcja2dRHkIKHhlRecSkGfgmJmT9DW8DEI8FFeiIjuQYzA3FDzI7XQ_YFA; GZ=Z=0; NID=521=SZe-cJTgVVkm6EE901uz0AP2vBUgwhoYifrRDZ5MvCI_a6ZOfOjDvcErI8QfZgALvfn-TnozDpRQP61v2PWg4Y6cRSMKYOvsI3lYFdmxSeNaNb5hF9CwaylhUc9xEtNL9m5Zo3uWdHh5eq6oZIn3wXlRQWhSj22_eB14KfBQ1dN4glklCOv__0NeMbvqpmd2dDlKm-QZ5DQdL98qOZf6IZnkSKeoe7Aw7MlYwTNoetZU4pC3YmAA1dKhyg; DV=Qx3WQJ5Kc6oaoLzqnEwKQNDx4bC2URk
Source: global traffic	HTTP traffic detected: GET /async/vpkg?vet=10ahUKEwiNsavRsc6LAxUFUeUKHTt3E90Qj5gNCCM..i&ei=Wxm1Z82XGIWilQe77s3oDQ&opi=89978449&yv=3&cs=0&async=_basejs:%2Fxjs%2F_%2Fjs%2Fk%3Dxjs.s.en.rVvGaTzUuak.2018.O%2Fam%3DAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAARQAAKAAAAAAAAAAJAAIAAAAAAAAACABAAAAAAAAAEBQACChAAABAAAAAAAJgAAAAIWAAEDAAAAAAAAACAAAAAAgQgA-_2HAwAAAAAAAAAAAAAIQAIAAAAAAABcAAAI8CHYAwIAAACAAAAAAIAAAAAAAEAAAACAAgAAAAAAAAAABAAAAAAAAAEAAAAgAAD0AQAAAAAAAAAAAAAACAAAAAAAgAFQAAAB_AAAAAAAAAAOAAAACBAAAACOgQEIAAAAAAAAwB4AHg8IhxQWAAAAAAAAAAAAAAAAgAAkCOZA-gsCEAAAAAAAAAAAAAAAAAAAAFIETVzeAIA%2Fdg%3D0%2Fbr%3D1%2Frs%3DACT90oEb5gFabjsgECjDfOsDNg-rPiA7_Q,_basecss:%2Fxjs%2F_%2Fss%2Fk%3Dxjs.s.J-afBL40dv0.L.B1.O%2Fam%3DAOIQIAQAAAACAABACAAVAAQAAAAAAAAAAAAAAAAAAAAAAAAASAAAAIAAAQAAAAAAgAAAAAARAAAAlEkAAAAAghMCIMAOAAAAAB-AQJwKgAAAAAAAQACABAAAAAAEAAIAJIQAAAAEAAAAQBAAAAACACwAACAAAAgAAAAIAwMAMAAAAAAIAEIIAgAQABgAAAdAAEgAACCAAxAAsBAEAGAAAIAAAAAKwEMwDICgAmAARwABAACACAAAAAAAAgCEAABgAFAAAAQIAAB6AAjABwAgCSIAQAgAAAFQCAAIAAAAASAAAACAIBAAAABaAACOgQEIAAAAAAAAABIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAEA%2Fbr%3D1%2Frs%3DACT90oHGymGXzmSL_ynnO9_AgzhVUzXrTQ,_basecomb:%2Fxjs%2F_%2Fjs%2Fk%3Dxjs.s.en.rVvGaTzUuak.2018.O%2Fck%3Dxjs.s.J-afBL40dv0.L.B1.O%2Fam%3DAOIQIAQAAAACAABACAAVAAQAAAAAAAAAAAAAAAAAAAAAAAAASAAAAIAAAQAAAAAAgAAAAARRAAKAlEkAAAAAgpMCIMAOAAAAAB-ARJwKgAAAAAEBQACChAAABAAEAAIAJoQAAAIWAAEDQBAAAAACACwAACAAgQgA-_2PAwMAMAAAAAAIAEIIQgIQABgAAAdcAEgI8CHYAxIAsBCEAGAAAIAAAAAKwEMwDICgAmAARwABAACADAAAAAAAAgGEAABgAFD0AQQIAAB6AAjABwAgCSIAQAgAgAFQCAAJ_AAAASAAAACOIBAACBBaAACOgQEIAAAAAAAAwB4AHg8IhxQWAAAAAAAAAAAAAAAAgAAkCOZA-gsCEAAAAAAAAAAAAAAAAAAAAFIETVzeAIA%2Fd%3D1%2Fed%3D1%2Fdg%3D0%2Fbr%3D1%2Fujg%3D1%2Frs%3DACT90oGKARqzuXTr1-twHgnDnoV1cean1Q,_fmt:prog,_id:QPwIld HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"rtt: 300sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36X-DoS-Behavior: Embedsec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"downlink: 1.5sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVcja2dRHkIKHhlRecSkGfgmJmT9DW8DEI8FFeiIjuQYzA3FDzI7XQ_YFA; GZ=Z=0; NID=521=SZe-cJTgVVkm6EE901uz0AP2vBUgwhoYifrRDZ5MvCI_a6ZOfOjDvcErI8QfZgALvfn-TnozDpRQP61v2PWg4Y6cRSMKYOvsI3lYFdmxSeNaNb5hF9Cwayl
Source: global traffic	HTTP traffic detected: GET /xjs/_/js/k=xjs.s.en.rVvGaTzUuak.2018.O/am=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAARQAAKAAAAAAAAAAJAAIAAAAAAAAACABAAAAAAAAAEBQACChAAABAAAAAAAJgAAAAIWAAEDAAAAAAAAACAAAAAAgQgA-_2HAwAAAAAAAAAAAAAIQAIAAAAAAABcAAAI8CHYAwIAAACAAAAAAIAAAAAAAEAAAACAAgAAAAAAAAAABAAAAAAAAAEAAAAgAAD0AQAAAAAAAAAAAAAACAAAAAAAgAFQAAAB_AAAAAAAAAAOAAAACBAAAACOgQEIAAAAAAAAwB4AHg8IhxQWAAAAAAAAAAAAAAAAgAAkCOZA-gsCEAAAAAAAAAAAAAAAAAAAAFIETVzeAIA/d=0/dg=0/br=1/rs=ACT90oEb5gFabjsgECjDfOsDNg-rPiA7_Q/m=lOO0Vd,sy9b,P6sQOc?xjs=s4 HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"rtt: 300sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"downlink: 10sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVcja2dRHkIKHhlRecSkGfgmJmT9DW8DEI8FFeiIjuQYzA3FDzI7XQ_YFA; GZ=Z=0; DV=Qx3WQJ5Kc6oaoLzqnEwKQNDx4bC2URk; NID=521=N_kW7kQ9anzHezVqq-Z8ViVjLPxA-K3C5X24RgYfGY7hNt_kkqgR02_zGbfD3_b6XLCwBq-lsln8YQAHgMSXUbg6uEDhpUSx-2D_9lbnLW-6wa6CkjjvvxpZAONd3MFT92mx5yYSBsbMftug9zc_gJZIbHPd731iNNhuMnJCGR54uy1Evkf_Ln38qyajoxi7cUpSOi8-XrTFDeCtIQ_E3ANWp2DwZ3-M5pwg3MuT8LwO74BRYHtnuFyu7OLOPw
Source: global traffic	HTTP traffic detected: GET /xjs/_/js/k=xjs.s.en.rVvGaTzUuak.2018.O/am=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAARQAAKAAAAAAAAAAJAAIAAAAAAAAACABAAAAAAAAAEBQACChAAABAAAAAAAJgAAAAIWAAEDAAAAAAAAACAAAAAAgQgA-_2HAwAAAAAAAAAAAAAIQAIAAAAAAABcAAAI8CHYAwIAAACAAAAAAIAAAAAAAEAAAACAAgAAAAAAAAAABAAAAAAAAAEAAAAgAAD0AQAAAAAAAAAAAAAACAAAAAAAgAFQAAAB_AAAAAAAAAAOAAAACBAAAACOgQEIAAAAAAAAwB4AHg8IhxQWAAAAAAAAAAAAAAAAgAAkCOZA-gsCEAAAAAAAAAAAAAAAAAAAAFIETVzeAIA/d=0/dg=0/br=1/rs=ACT90oEb5gFabjsgECjDfOsDNg-rPiA7_Q/m=syi0,aLUfP?xjs=s4 HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"rtt: 300sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"downlink: 10sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVcja2dRHkIKHhlRecSkGfgmJmT9DW8DEI8FFeiIjuQYzA3FDzI7XQ_YFA; GZ=Z=0; DV=Qx3WQJ5Kc6oaoLzqnEwKQNDx4bC2URk; NID=521=N_kW7kQ9anzHezVqq-Z8ViVjLPxA-K3C5X24RgYfGY7hNt_kkqgR02_zGbfD3_b6XLCwBq-lsln8YQAHgMSXUbg6uEDhpUSx-2D_9lbnLW-6wa6CkjjvvxpZAONd3MFT92mx5yYSBsbMftug9zc_gJZIbHPd731iNNhuMnJCGR54uy1Evkf_Ln38qyajoxi7cUpSOi8-XrTFDeCtIQ_E3ANWp2DwZ3-M5pwg3MuT8LwO74BRYHtnuFyu7OLOPw
Source: global traffic	HTTP traffic detected: GET /xjs/_/js/k=xjs.s.en.rVvGaTzUuak.2018.O/am=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAARQAAKAAAAAAAAAAJAAIAAAAAAAAACABAAAAAAAAAEBQACChAAABAAAAAAAJgAAAAIWAAEDAAAAAAAAACAAAAAAgQgA-_2HAwAAAAAAAAAAAAAIQAIAAAAAAABcAAAI8CHYAwIAAACAAAAAAIAAAAAAAEAAAACAAgAAAAAAAAAABAAAAAAAAAEAAAAgAAD0AQAAAAAAAAAAAAAACAAAAAAAgAFQAAAB_AAAAAAAAAAOAAAACBAAAACOgQEIAAAAAAAAwB4AHg8IhxQWAAAAAAAAAAAAAAAAgAAkCOZA-gsCEAAAAAAAAAAAAAAAAAAAAFIETVzeAIA/d=0/dg=0/br=1/rs=ACT90oEb5gFabjsgECjDfOsDNg-rPiA7_Q/m=Ko78Df?xjs=s4 HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"rtt: 300sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"downlink: 10sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVcja2dRHkIKHhlRecSkGfgmJmT9DW8DEI8FFeiIjuQYzA3FDzI7XQ_YFA; GZ=Z=0; DV=Qx3WQJ5Kc6oaoLzqnEwKQNDx4bC2URk; NID=521=N_kW7kQ9anzHezVqq-Z8ViVjLPxA-K3C5X24RgYfGY7hNt_kkqgR02_zGbfD3_b6XLCwBq-lsln8YQAHgMSXUbg6uEDhpUSx-2D_9lbnLW-6wa6CkjjvvxpZAONd3MFT92mx5yYSBsbMftug9zc_gJZIbHPd731iNNhuMnJCGR54uy1Evkf_Ln38qyajoxi7cUpSOi8-XrTFDeCtIQ_E3ANWp2DwZ3-M5pwg3MuT8LwO74BRYHtnuFyu7OLOPw
Source: global traffic	HTTP traffic detected: GET /xjs/_/js/k=xjs.s.en.rVvGaTzUuak.2018.O/am=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAARQAAKAAAAAAAAAAJAAIAAAAAAAAACABAAAAAAAAAEBQACChAAABAAAAAAAJgAAAAIWAAEDAAAAAAAAACAAAAAAgQgA-_2HAwAAAAAAAAAAAAAIQAIAAAAAAABcAAAI8CHYAwIAAACAAAAAAIAAAAAAAEAAAACAAgAAAAAAAAAABAAAAAAAAAEAAAAgAAD0AQAAAAAAAAAAAAAACAAAAAAAgAFQAAAB_AAAAAAAAAAOAAAACBAAAACOgQEIAAAAAAAAwB4AHg8IhxQWAAAAAAAAAAAAAAAAgAAkCOZA-gsCEAAAAAAAAAAAAAAAAAAAAFIETVzeAIA/d=0/dg=0/br=1/rs=ACT90oEb5gFabjsgECjDfOsDNg-rPiA7_Q/m=I46Hvd?xjs=s4 HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"rtt: 300sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"downlink: 10sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVcja2dRHkIKHhlRecSkGfgmJmT9DW8DEI8FFeiIjuQYzA3FDzI7XQ_YFA; GZ=Z=0; DV=Qx3WQJ5Kc6oaoLzqnEwKQNDx4bC2URk; NID=521=N_kW7kQ9anzHezVqq-Z8ViVjLPxA-K3C5X24RgYfGY7hNt_kkqgR02_zGbfD3_b6XLCwBq-lsln8YQAHgMSXUbg6uEDhpUSx-2D_9lbnLW-6wa6CkjjvvxpZAONd3MFT92mx5yYSBsbMftug9zc_gJZIbHPd731iNNhuMnJCGR54uy1Evkf_Ln38qyajoxi7cUpSOi8-XrTFDeCtIQ_E3ANWp2DwZ3-M5pwg3MuT8LwO74BRYHtnuFyu7OLOPw
Source: global traffic	HTTP traffic detected: GET /instream/ad_status.js HTTP/1.1Host: static.doubleclick.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.youtube.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /pagead/id HTTP/1.1Host: googleads.g.doubleclick.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Origin: https://www.youtube.comX-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.youtube.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /pagead/id?slf_rd=1 HTTP/1.1Host: googleads.g.doubleclick.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Origin: https://www.youtube.comX-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.youtube.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"rtt: 300sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"downlink: 1.5sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVcja2dRHkIKHhlRecSkGfgmJmT9DW8DEI8FFeiIjuQYzA3FDzI7XQ_YFA; GZ=Z=0; DV=Qx3WQJ5Kc6oaoLzqnEwKQNDx4bC2URk; NID=521=N_kW7kQ9anzHezVqq-Z8ViVjLPxA-K3C5X24RgYfGY7hNt_kkqgR02_zGbfD3_b6XLCwBq-lsln8YQAHgMSXUbg6uEDhpUSx-2D_9lbnLW-6wa6CkjjvvxpZAONd3MFT92mx5yYSBsbMftug9zc_gJZIbHPd731iNNhuMnJCGR54uy1Evkf_Ln38qyajoxi7cUpSOi8-XrTFDeCtIQ_E3ANWp2DwZ3-M5pwg3MuT8LwO74BRYHtnuFyu7OLOPw
Source: global traffic	HTTP traffic detected: GET /gen_204?atyp=i&ct=psnt&cad=&nt=navigate&ei=Wxm1Z82XGIWilQe77s3oDQ&zx=1739921772354&opi=89978449 HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"rtt: 300sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"downlink: 1.5sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlKHLAQj2mM0BCIWgzQEI3L3NAQiRys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVcja2dRHkIKHhlRecSkGfgmJmT9DW8DEI8FFeiIjuQYzA3FDzI7XQ_YFA; GZ=Z=0; DV=Qx3WQJ5Kc6oaoLzqnEwKQNDx4bC2URk; NID=521=N_kW7kQ9anzHezVqq-Z8ViVjLPxA-K3C5X24RgYfGY7hNt_kkqgR02_zGbfD3_b6XLCwBq-lsln8YQAHgMSXUbg6uEDhpUSx-2D_9lbnLW-6wa6CkjjvvxpZAONd3MFT92mx5yYSBsbMftug9zc_gJZIbHPd731iNNhuMnJCGR54uy1Evkf_Ln38qyajoxi7cUpSOi8-XrTFDeCtIQ_E3ANWp2DwZ3-M5pwg3MuT8LwO74BRYHtnuFyu7OLOPw
Source: global traffic	HTTP traffic detected: GET /crx/blobs/ASuc5oisP-vad288S8SaQyCn0RwQHSIttmiNDpxXDfc0dgfkE18nHRFB5IE7DCCRzCEkfumOI3oXlIU55eRn7-4QTmfrpKK1Q1_K1hSMP-BRAmwO3xfOisMGZbKH2bU3lj5sAMZSmuWqsmeuCl9c5iEEK0agqvWXpPfz-A/EFAIDNBMNNNIBPCAJPCGLCLEFINDMKAJ_25_2_2_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /webstore/inlineinstall/detail/efaidnbmnnnibpcajpcglclefindmkaj HTTP/1.1Host: chrome.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /crx/blobs/ASuc5ohcoRYyASTWkAI21BvR0f-Aos7pzgW3GtD8ImYoX-O9Pl77join3GT-5wpD1vT_nG6xpJ0eds7JOZacv0OYNfBAee3mKSnMDx3-YDnz3J7UxfHM_wfhsyHz9Z8rajAAxlKa5T9frrLlN0KHGfJRu7Y7NseNtZ_M/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_89_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBT4XPMAgX8rbNb10iD9IkFVxGbTWwQUW8pe5d7SgarNqC1kUbbZcpuX5k8CEG7dTyXnMX05gVcxNM%2FB3KA%3D HTTP/1.1Cache-Control: max-age = 86400Connection: Keep-AliveAccept: /If-Modified-Since: Thu, 26 Sep 2024 16:44:20 GMTIf-None-Match: "d91ee5b14c0f7c7bb068678cc516609fdcc07f21"User-Agent: Microsoft-CryptoAPI/10.0Host: ocsps.ssl.com

Source: global traffic	DNS traffic detected: DNS query: docu-flex.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: dns-tunnel-check.googlezip.net
Source: global traffic	DNS traffic detected: DNS query: tunnel.googlezip.net
Source: global traffic	DNS traffic detected: DNS query: id.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: i.ytimg.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: googleads.g.doubleclick.net
Source: global traffic	DNS traffic detected: DNS query: static.doubleclick.net
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: chrome.google.com

Source: unknown

HTTP traffic detected: POST /log HTTP/1.1Content-Type: text/plain; charset=utf-8Host: docu-flex.comContent-Length: 24Expect: 100-continue

Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://.css
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://.jpg
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://blog.izs.me)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://blog.izs.me/)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://code.google.com/p/closure-compiler/wiki/SourceMaps
Source: DocuFlex.exe, 00000000.00000002.1668733388.000000000C452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://marijnhaverbeke.nl/git/acorn
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://narwhaljs.org)
Source: DocuFlex.exe, 00000000.00000002.1632147933.000000000833B000.00000004.00000800.00020000.00000000.sdmp, DocuFlex.exe, 00000000.00000002.1691697586.000000000DB83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.attribution.com/ads/1.0/
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://scripts.sil.org/OFL
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://src.chromium.org/viewvc/blink/trunk/Source/devtools/front_end/SourceMap.js
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://travis-ci.org/grncdr/merge-stream)
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://userguide.icu-project.org/strings/properties
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1668733388.000000000C452000.00000004.00000800.00020000.00000000.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.0000000000902000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.ascendercorp.com/
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.ascendercorp.com/http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.ht
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: DocuFlex.exe, 00000000.00000002.1668733388.000000000C452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.electrovir.com
Source: DocuFlex.exe, 00000000.00000002.1668733388.000000000C452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: DocuFlex.exe, 00000000.00000002.1668733388.000000000C452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: DocuFlex.exe, 00000000.00000002.1668733388.000000000C452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: DocuFlex.exe, 00000000.00000002.1668733388.000000000C452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: DocuFlex.exe, 00000000.00000002.1668733388.000000000C452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: DocuFlex.exe, 00000000.00000002.1668733388.000000000C452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: DocuFlex.exe, 00000000.00000002.1668733388.000000000C452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: DocuFlex.exe, 00000000.00000002.1668733388.000000000C452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: DocuFlex.exe, 00000000.00000002.1668733388.000000000C452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: DocuFlex.exe, 00000000.00000002.1668733388.000000000C452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: DocuFlex.exe, 00000000.00000002.1668733388.000000000C452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: DocuFlex.exe, 00000000.00000002.1668733388.000000000C452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: DocuFlex.exe, 00000000.00000002.1668733388.000000000C452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: DocuFlex.exe, 00000000.00000002.1668733388.000000000C452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: DocuFlex.exe, 00000000.00000002.1668733388.000000000C452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: DocuFlex.exe, 00000000.00000002.1668733388.000000000C452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.midnight-commander.org/browser/lib/tty/key.c
Source: DocuFlex.exe, 00000000.00000002.1668733388.000000000C452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: DocuFlex.exe, 00000000.00000002.1668733388.000000000C452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: DocuFlex.exe, 00000000.00000002.1668733388.000000000C452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.squid-cache.org/Doc/config/half_closed_clients/
Source: DocuFlex.exe, 00000000.00000002.1668733388.000000000C452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: DocuFlex.exe, 00000000.00000002.1668733388.000000000C452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.000000000477E000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.0000000004769000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.0000000003874000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.00000000047A4000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.0000000004274000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.unicode.org/copyright.html
Source: DocuFlex.exe, 00000000.00000002.1668733388.000000000C452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: DocuFlex.exe, 00000000.00000002.1668733388.000000000C452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://avatars0.githubusercontent.com/u/1205860?v=4
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://avatars2.githubusercontent.com/u/8136211?v=4
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://bugs.chromium.org/p/v8/issues/detail?id=10201
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=745678
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://cairographics.org))
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://ci.appveyor.com/project/satazor/node-cross-spawn
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://code.google.com/p/chromium/issues/detail?id=25916
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://codecov.io/gh/ehmicky/human-signals)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://codecov.io/gh/sindresorhus/execa)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://codecov.io/gh/sindresorhus/execa/branch/main/graph/badge.svg)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#clear
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#console-namespace
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#count
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#count-map
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#countreset
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#table
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://crbug.com/v8/7848
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://crbug.com/v8/8520
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js?rcl=dd10454c1d
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc7230#section-5.4
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc7231#section-6.4
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc7238
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.0000000008829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/AbortController).
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/AbortSignal)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/Blob).
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/Clipboard_API#Browser_compatibility).
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/PerformanceResourceTiming
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/ReadableStream)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/TextDecoderStream)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Equality_comparisons_and_sameness#Loose_equa
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/fromAsync#bro
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/fromAsync)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.000000000883F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/length).
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.000000000883F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/ArrayBuffer).
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.000000000883F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/ArrayBuffer/byteLen
Source: DocuFlex.exe, 00000000.00000002.1632147933.00000000083B5000.00000004.00000800.00020000.00000000.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.00000000088E1000.00000004.00000800.00020000.00000000.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.00000000083E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/getOwnProper
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.000000000883F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/length)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Iteration_protocols#the_async_iter
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts).
Source: DocuFlex.exe, 00000000.00000002.1632147933.000000000833B000.00000004.00000800.00020000.00000000.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.0000000000902000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docu-flex.com/log
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://dom.spec.whatwg.org/#interface-abortcontroller
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://dom.spec.whatwg.org/#interface-eventtarget
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org/#encode-and-enqueue-a-chunk
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org/#encode-and-flush
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org/#textdecoder
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org/#textencoder
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://esdiscuss.org/topic/isconstructor#content-11
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fedoraproject.org/wiki/Licensing/LiberationFontLicense
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fedoraproject.org/wiki/Licensing/LiberationFontLicenseLicensed
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fedoraproject.org/wiki/Licensing/LiberationFontLicensehttps://fedoraproject.org/wiki/Licensi
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#concept-header-list-append
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#concept-header-list-delete
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#concept-header-list-get
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#concept-header-list-set
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#concept-header-list-sort-and-combine
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#concept-request-mode
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#dom-headers-append
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#dom-headers-delete
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#dom-headers-get
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#dom-headers-getsetcookie
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#dom-headers-has
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#dom-headers-set
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#dom-request
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#dom-response
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#dom-response-json
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#fetch-controller-abort
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#fetch-method
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#fetch-timing-info
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#header-list-contains
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#headers-class
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#http-whitespace
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#request-class
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#requestcache
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#requestcredentials
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#requestredirect
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#response-class
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fosstodon.org/
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://gist.github.com/XVilka/8346728#gistcomment-2823421
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://gist.github.com/sindresorhus/a39789f98801d908bbc7ff3ecc99d99c)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/ForbesLindesay/win-spawn)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/IndigoUnited/node-cross-spawn#why)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/WICG/scheduling-apis
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/WebAssembly/esm-integration/issues/42
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/acornjs/acorn.git
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/acornjs/acorn/blob/master/acorn/src/identifier.js#L23
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/acornjs/acorn/issues
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/acornjs/acorn/issues/575
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/addaleax/eventemitter-asyncresource
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/chalk/ansi-regex/blob/HEAD/index.js
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/chalk/supports-color
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/chromium/chromium/blob/HEAD/third_party/blink/public/platform/web_crypto_algorith
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/da-x/rxvt-unicode/tree/v9.22-with-24bit-color
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/denoland/deno
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/denoland/deno/blob/main/LICENSE.md.
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/denoland/deno/blob/v1.29.1/ext/crypto/00_crypto.js#L195
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/dominictarr/event-stream)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/ehmicky)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/ehmicky/cross-platform-node-guide/blob/main/docs/6_networking_ipc/signals.md#cros
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/ehmicky/get-bin-path)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.0000000008829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/ehmicky/get-node)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/ehmicky/gulp-execa)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/ehmicky/human-signals/commits?author=ehmicky
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/ehmicky/human-signals/commits?author=electrovir
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/ehmicky/human-signals/issues
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/ehmicky/nvexeca)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/estree/estree
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/estree/estree/blob/a27003adf4fd7bfad44de9cef372a2eacd527b1c/es5.md#regexpliteral
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.js
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/startSES.js
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/google/closure-compiler/wiki/Source-Maps
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/hapijs/b64).
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/heycam/webidl/pull/946.
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/inspect-js/is-date-object/blob/main/index.js#L3-L11
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/isaacs/color-support.
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/isaacs/isexe#readme
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/isaacs/isexe.git
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/isaacs/isexe/issues
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/jamestalmage/is-file-stream)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/jorangreef/sudo-prompt)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/joyent/node/issues/2318)
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/joyent/node/issues/3295.
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/jsdom/webidl-conversions
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/jsdom/webidl-conversions/blob/master/LICENSE.md.
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/libuv/libuv/pull/1501.
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/libuv/libuv/pull/2025.
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/mafintosh/end-of-stream
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/mafintosh/pump
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/maxogden/concat-stream)?
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/mishoo/UglifyJS2
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/moxystudio/node-cross-spawn
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/moxystudio/node-cross-spawn/actions/workflows/ci.yaml
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/moxystudio/node-cross-spawn/actions/workflows/ci.yaml/badge.svg
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/moxystudio/node-cross-spawn/blob/e77b8f22a416db46b6196767bcd35601d7e11d54/test/in
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/moxystudio/node-cross-spawn/issues/82)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/mozilla/sweet.js/wiki/design
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/mysticatea/abort-controller
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node-v0.x-archive/issues/2876.
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/blob/b27ae24dcc4251bad726d9d84baf678d1f707fed/lib/internal/structured
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/commit/ec2822adaad76b126b5cccdeaa1addf2376c9aa6
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/commit/f7620fb96d339f704932f9bb9a0dceb9952df2d4
Source: DocuFlex.exe, 00000000.00000000.1168081456.00000000051A4000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/10673
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/13435
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/19009
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/2006
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/2119
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.0000000008829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/29837)
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/3392
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/34532
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/35452
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/35475
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/35862
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/35981
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/39707
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/39758
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/44985
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/45699
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/51486
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/7367)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/12342
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/12607
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/13870#discussion_r124515293
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/1771#issuecomment-119351671
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/21313
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/26334.
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/30380#issuecomment-552948364
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/30958
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/33515.
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/33661
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/3394
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34010
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34103#issuecomment-652002364
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34375
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34385
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/35949#issuecomment-722496598
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/36061#discussion_r533718029
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/38248
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/38433#issuecomment-828426932
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/38614)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/43714
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/44004#discussion_r930958420
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/46161
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/46528
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/48477#issuecomment-1604586650
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/49891#issuecomment-1744673430.
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/undici/issues/2021
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/sindresorhus)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/sindresorhus/clipboard-cli)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/sindresorhus/copy-text-to-clipboard)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/sindresorhus/execa?sponsor=1
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/sindresorhus/get-stdin)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/sindresorhus/into-stream)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/sindresorhus/is-docker)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/sindresorhus/p-retry)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/sindresorhus/rename-fn)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/sindresorhus/system-architecture)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.0000000008829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sindresorhus/taskkill).
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/sindresorhus/win-clipboard).
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/sinonjs/fake-timers/blob/a4c757f80840829e45e0852ea1b17d87a998388e/src/fake-timers
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/sponsors/isaacs
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/sponsors/sindresorhus
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/standard-things/esm/issues/821.
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/tapjs/signal-exit.git
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/tc39/ecma262/blob/HEAD/LICENSE.md
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/tc39/ecma262/issues/1209
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/tc39/proposal-iterator-helpers/issues/169
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/tc39/proposal-ses/blob/e5271cc42a257a05dcae2fd94713ed2f46c08620/shim/src/freeze.j
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/tc39/proposal-weakrefs
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://goo.gl/t5IS6M).
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#define-the-operations
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#dfn-default-iterator-object
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#dfn-iterator-prototype-object
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-interfaces
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-iterable
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-iterable-entries
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-iterators
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-namespaces
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-stringifier
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#dom-setinterval
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/web-messaging.html#broadcasting-to-other-browsing-contexts
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope.
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://img.shields.io/appveyor/ci/satazor/node-cross-spawn/master.svg
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://img.shields.io/badge/-Mastodon-808080.svg?logo=mastodon&colorA=404040&logoColor=9590F9)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://img.shields.io/badge/-Medium-808080.svg?logo=medium&colorA=404040)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://img.shields.io/badge/-Node.js-808080?logo=node.js&colorA=404040&logoColor=66cc33)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://img.shields.io/badge/-Tested%20100%25-808080?logo=codecov&colorA=404040)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://img.shields.io/badge/-Typed-808080?logo=typescript&colorA=404040&logoColor=0096ff)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://img.shields.io/npm/dm/cross-spawn.svg
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://img.shields.io/npm/v/cross-spawn.svg
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://infra.spec.whatwg.org/#forgiving-base64
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://infra.spec.whatwg.org/#forgiving-base64-decode
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://invisible-island.net/ncurses/terminfo.ti.html#toc-_Specials
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://jimmy.warting.se/opensource
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://linux.die.net/man/1/dircolors).
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://linux.die.net/man/1/xsel).
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://ltp.sourceforge.net/coverage/lcov/geninfo.1.php
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://mathiasbynens.be/notes/javascript-encoding
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://medium.com/
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://mimesniff.spec.whatwg.org/#mime-type-essence
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://no-color.org/
Source: DocuFlex.exe, 00000000.00000000.1168081456.00000000051A4000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.000000000883F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/buffer.html#buflength)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.000000000883F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/buffer.html#class-buffer).
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.0000000008829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/child_process.html#child_process_advanced_serialization)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/child_process.html#child_process_child_process_exec_command_options_callback)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.0000000008829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/child_process.html#child_process_child_process_fork_modulepath_args_options):
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/child_process.html#child_process_child_process_spawn_command_args_options)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/child_process.html#child_process_child_process_spawn_command_args_options)/
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/child_process.html#child_process_child_process_spawnsync_command_args_options
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.0000000008829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/child_process.html#child_process_class_childprocess)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.0000000008829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/child_process.html#child_process_options_detached)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.0000000008829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/child_process.html#child_process_options_detached).
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.0000000008829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/child_process.html#child_process_options_stdio)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.0000000008829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/child_process.html#child_process_subprocess_kill_signal)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.0000000008829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/child_process.html#child_process_subprocess_stderr).
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.0000000008829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/child_process.html#child_process_subprocess_stdout)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/child_process.html)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.0000000008829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/cli.html#cli_options)
Source: DocuFlex.exe, 00000000.00000000.1168081456.00000000051A4000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode).
Source: DocuFlex.exe, 00000000.00000000.1168081456.00000000051A4000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/fs.html
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/fs.html#fs_stat_time_values)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/os.html#os_signal_constants)
Source: DocuFlex.exe, 00000000.00000000.1168081456.00000000051A4000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/permissions.html#file-system-permissions
Source: DocuFlex.exe, 00000000.00000002.1632147933.000000000842F000.00000004.00000800.00020000.00000000.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.0000000008445000.00000004.00000800.00020000.00000000.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.00000000083FF000.00000004.00000800.00020000.00000000.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.0000000008415000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/process.html#process_process_env).
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/process.html#process_process_execargv)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/process.html#process_process_execpath)
Source: DocuFlex.exe, 00000000.00000002.1632147933.000000000842F000.00000004.00000800.00020000.00000000.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.0000000008445000.00000004.00000800.00020000.00000000.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.00000000083FF000.00000004.00000800.00020000.00000000.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.0000000008415000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/process.html#process_process_platform).
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.0000000008829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/process.html#process_signal_events)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/process.html#process_signal_events).
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/process.html#processarch)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/stream.html#class-streamreadable)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.000000000883F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/stream.html#object-mode).
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.0000000008829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/stream.html#readablepipedestination-options)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/stream.html#readabletoarrayoptions)
Source: DocuFlex.exe, 00000000.00000002.1632147933.00000000088B1000.00000004.00000800.00020000.00000000.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.00000000088C9000.00000004.00000800.00020000.00000000.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/stream.html#stream_class_stream_duplex).
Source: DocuFlex.exe, 00000000.00000002.1632147933.00000000088B1000.00000004.00000800.00020000.00000000.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.00000000088C9000.00000004.00000800.00020000.00000000.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/stream.html#stream_class_stream_readable).
Source: DocuFlex.exe, 00000000.00000002.1632147933.00000000088B1000.00000004.00000800.00020000.00000000.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.00000000088C9000.00000004.00000800.00020000.00000000.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/stream.html#stream_class_stream_transform).
Source: DocuFlex.exe, 00000000.00000002.1632147933.00000000088B1000.00000004.00000800.00020000.00000000.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.00000000088C9000.00000004.00000800.00020000.00000000.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/stream.html#stream_class_stream_writable).
Source: DocuFlex.exe, 00000000.00000002.1632147933.00000000088B1000.00000004.00000800.00020000.00000000.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.00000000088C9000.00000004.00000800.00020000.00000000.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/stream.html#stream_stream).
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/stream.html)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.0000000008829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/v8.html#v8_v8_serialize_value)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/webstreams.html#streamconsumersarraybufferstream)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/webstreams.html#streamconsumersbufferstream)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/webstreams.html#streamconsumerstextstream)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.0000000008829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/dist/latest-v6.x/docs/api/child_process.html#child_process_options_stdio)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.0000000008829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/dist/latest-v6.x/docs/api/child_process.html#child_process_options_stdio).
Source: DocuFlex.exe, 00000000.00000000.1168081456.00000000051A4000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/download/release/
Source: DocuFlex.exe, 00000000.00000000.1168081456.00000000051A4000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/download/release/v20.12.2/node-v20.12.2-headers.tar.gz
Source: DocuFlex.exe, 00000000.00000000.1168081456.00000000051A4000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/download/release/v20.12.2/node-v20.12.2.tar.gz
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/download/release/v20.12.2/node-v20.12.2.tar.gzhttps://nodejs.org/download/release
Source: DocuFlex.exe, 00000000.00000000.1168081456.00000000051A4000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/download/release/v20.12.2/win-x64/node.lib
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/en/docs/inspector
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/en/docs/inspectorFor
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/static/images/favicons/favicon.ico
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/static/images/favicons/favicon.icodevtoolsFrontendUrldevtoolsFrontendUrlCompatweb
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://npmjs.org/package/cross-spawn
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap12.html
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap12.html).
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://registry.npmjs.org/clipboardy/-/clipboardy-4.0.0.tgz
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://registry.npmjs.org/execa/-/execa-8.0.1.tgz
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://registry.npmjs.org/get-stream/-/get-stream-8.0.1.tgz
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://registry.npmjs.org/human-signals/-/human-signals-5.0.0.tgz
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://registry.npmjs.org/is-docker/-/is-docker-3.0.0.tgz
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://registry.npmjs.org/is-inside-container/-/is-inside-container-1.0.0.tgz
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://registry.npmjs.org/is-stream/-/is-stream-3.0.0.tgz
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://registry.npmjs.org/is-wsl/-/is-wsl-3.1.0.tgz
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://registry.npmjs.org/is64bit/-/is64bit-2.0.0.tgz
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://registry.npmjs.org/merge-stream/-/merge-stream-2.0.0.tgz
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://registry.npmjs.org/mimic-fn/-/mimic-fn-4.0.0.tgz
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://registry.npmjs.org/npm-run-path/-/npm-run-path-5.3.0.tgz
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://registry.npmjs.org/onetime/-/onetime-6.0.0.tgz
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://registry.npmjs.org/path-key/-/path-key-3.1.1.tgz
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://registry.npmjs.org/path-key/-/path-key-4.0.0.tgz
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://registry.npmjs.org/shebang-regex/-/shebang-regex-3.0.0.tgz
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://registry.npmjs.org/strip-final-newline/-/strip-final-newline-3.0.0.tgz
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://registry.npmjs.org/system-architecture/-/system-architecture-0.1.0.tgz
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://registry.npmjs.org/uglifyjs/-/uglifyjs-2.4.11.tgz
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://registry.npmjs.org/which/-/which-2.0.2.tgz
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://secure.travis-ci.org/grncdr/merge-stream.svg?branch=master)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://sindresorhus.com
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://sindresorhus.com/assets/thanks/transloadit-logo-dark.svg
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://sindresorhus.com/assets/thanks/transloadit-logo.svg
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://sindresorhus.com/unicorn
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://sourcemaps.info/spec.html
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://stackoverflow.com/a/5501711/3561
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://streams.spec.whatwg.org/#example-manual-write-with-backpressure
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://streams.spec.whatwg.org/#example-rbs-pull
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#eqn-modulo
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassContents
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassIntersection
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassSetCharacter
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassSetExpression
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassSetOperand
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassSetRange
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassSetReservedDoublePunctuator
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassSetReservedPunctuator
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassSetSyntaxCharacter
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassString
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassStringDisjunction
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassStringDisjunctionContents
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassSubtraction
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassUnion
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-NestedClass
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-NonEmptyClassString
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-%typedarray%-intrinsic-object
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-HostLoadImportedModule.
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-timeclip
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-tonumber
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#table-typeof-operator-results
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.github.io/ecma262/#sec-%typedarray%.of
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.github.io/ecma262/#sec-object.prototype.tostring
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://termux.com/)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tidelift.com/subscription/pkg/npm-execa?utm_source=npm-execa&utm_medium=referral&utm_campaig
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tidelift.com/subscription/pkg/npm-is-stream?utm_source=npm-is-stream&utm_medium=referral&utm
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2397#section-2
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3492#section-3.4
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3986#section-3.2.2
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc6455#section-1.3
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7230#section-3.2.2
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7230#section-3.2.6
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7540#section-8.1.2.5
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://transloadit.com?utm_source=sindresorhus&utm_medium=referral&utm_campaign=sponsorship&utm_con
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-url
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-byte-serializer
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-parser
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-serializer
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#dom-urlsearchparams-urlsearchparams
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#forbidden-host-code-point
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#special-scheme
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#url
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams-stringification-behavior
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://v8.dev/blog/v8-release-89
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://v8.dev/docs/stack-trace-api#customizing-stack-traces.
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://w3c.github.io/FileAPI/#creating-revoking
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://w3c.github.io/resource-timing/#dfn-mark-resource-timing
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://w3c.github.io/resource-timing/#dfn-setup-the-resource-timing-entry
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://w3c.github.io/resource-timing/#dom-performance-setresourcetimingbuffersize
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://w3c.github.io/webappsec-referrer-policy/#referrer-policy
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://w3c.github.io/webappsec-subresource-integrity/#the-integrity-attribute
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://w3c.github.io/webcrypto/#SubtleCrypto-method-wrapKey
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://w3c.github.io/webcrypto/#algorithm-normalization-normalize-an-algorithm
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#Exposed
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#Exposed.
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#abstract-opdef-converttoint
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#abstract-opdef-integerpart
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#es-DOMString
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#es-dictionary
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://websockets.spec.whatwg.org/
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://websockets.spec.whatwg.org/#dom-websocket-close
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://websockets.spec.whatwg.org/#dom-websocket-send
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://websockets.spec.whatwg.org/#feedback-from-the-protocol
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://wiki.squid-cache.org/SquidFaq/InnerWorkings#What_is_a_half-closed_filedescriptor.3F
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-line-terminators
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-promise.all
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/5.1/#sec-15.1.3.4
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Alternative
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Atom
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClass
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClassEscape
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtom
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtomNoDash
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassRanges
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlEscape
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlLetter
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalDigits
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalEscape
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Disjunction
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Hex4Digits
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigit
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigits
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexEscapeSequence
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRanges
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesNoDash
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-OctalDigit
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Pattern
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-PatternCharacter
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Quantifier
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-QuantifierPrefix
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-RegExpUnicodeEscapeSequence
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-SyntaxCharacter
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Assertion
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-AtomEscape
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-CharacterEscape
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassControlLetter
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassEscape
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedAtom
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedPatternCharacter
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-IdentityEscape
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-InvalidBracedQuantifier
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-LegacyOctalEscapeSequence
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Term
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-atomescape
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-term
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.github.com/ehmicky/human-signals
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.iana.org/assignments/tls-extensiontype-values
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.npmjs.com/package/human-signals)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.opensource.org/licenses/mit-license.php).
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc6266#section-4.3
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8288.html#section-3
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc9110#section-5.2
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.typescriptlang.org/docs/handbook/esm-node.html)
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://xhr.spec.whatwg.org/#interface-formdata

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 50060 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50113 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50101
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50116
Source: unknown	Network traffic detected: HTTP traffic on port 50120 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50113
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50120
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50093 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50092
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50093
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50095
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 50095 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49960 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 50092 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49910
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49959 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49907
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50051
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50101 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.16:49712 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Users\user\Desktop\DocuFlex.exe

Code function: 0_2_0CD11E80 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,

0_2_0CD11E80

System Summary

Source: C:\Users\user\Desktop\DocuFlex.exe	Code function: 0_2_0CAE3D30	0_2_0CAE3D30
Source: C:\Users\user\Desktop\DocuFlex.exe	Code function: 0_2_0CAE3E48	0_2_0CAE3E48
Source: C:\Users\user\Desktop\DocuFlex.exe	Code function: 0_2_0CAE341C	0_2_0CAE341C
Source: C:\Users\user\Desktop\DocuFlex.exe	Code function: 0_2_0CD1C509	0_2_0CD1C509
Source: C:\Users\user\Desktop\DocuFlex.exe	Code function: 0_2_0CD10040	0_2_0CD10040
Source: C:\Users\user\Desktop\DocuFlex.exe	Code function: 0_2_0CD1D690	0_2_0CD1D690
Source: C:\Users\user\Desktop\DocuFlex.exe	Code function: 0_2_0CD1AE49	0_2_0CD1AE49
Source: C:\Users\user\Desktop\DocuFlex.exe	Code function: 0_2_0CD1D1C8	0_2_0CD1D1C8
Source: C:\Users\user\Desktop\DocuFlex.exe	Code function: 0_2_0E480D90	0_2_0E480D90
Source: C:\Users\user\Desktop\DocuFlex.exe	Code function: 0_2_0E48749C	0_2_0E48749C
Source: C:\Users\user\Desktop\DocuFlex.exe	Code function: 0_2_0E4821B1	0_2_0E4821B1
Source: C:\Users\user\Desktop\DocuFlex.exe	Code function: 0_2_0E4821B1	0_2_0E4821B1
Source: C:\Users\user\Desktop\DocuFlex.exe	Code function: 0_2_0E488388	0_2_0E488388
Source: C:\Users\user\Desktop\DocuFlex.exe	Code function: 0_2_0E480D90	0_2_0E480D90
Source: C:\Users\user\Desktop\DocuFlex.exe	Code function: 0_2_10A1F298	0_2_10A1F298
Source: C:\Users\user\Desktop\DocuFlex.exe	Code function: 0_2_10A16CF8	0_2_10A16CF8
Source: C:\Users\user\Desktop\DocuFlex.exe	Code function: 0_2_10A1B5E8	0_2_10A1B5E8
Source: C:\Users\user\Desktop\DocuFlex.exe	Code function: 0_2_10A14EA0	0_2_10A14EA0
Source: C:\Users\user\Desktop\DocuFlex.exe	Code function: 0_2_10A1D6C0	0_2_10A1D6C0
Source: C:\Users\user\Desktop\DocuFlex.exe	Code function: 0_2_10A1A250	0_2_10A1A250
Source: C:\Users\user\Desktop\DocuFlex.exe	Code function: 0_2_10A30040	0_2_10A30040
Source: C:\Users\user\Desktop\DocuFlex.exe	Code function: 0_2_10A3E430	0_2_10A3E430
Source: C:\Users\user\Desktop\DocuFlex.exe	Code function: 0_2_10A307A0	0_2_10A307A0
Source: C:\Users\user\Desktop\DocuFlex.exe	Code function: 0_2_10A31470	0_2_10A31470

Source: clipboard_x86_64.exe.0.dr	Static PE information: Number of sections : 13 > 10
Source: clipboard_i686.exe.0.dr	Static PE information: Number of sections : 15 > 10
Source: clipboard.exe.0.dr	Static PE information: Number of sections : 15 > 10

Source: DocuFlex.exe, 00000000.00000002.1619558958.000000000628E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs DocuFlex.exe
Source: DocuFlex.exe, 00000000.00000000.1168081456.0000000005BAD000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamenode.exe* vs DocuFlex.exe

Source: classification engine

Classification label: mal42.winEXE@85/920@34/15

Source: f_000004.26.dr

Initial sample: https://cairographics.org

Source: C:\Users\user\Desktop\DocuFlex.exe

File created: C:\Users\user\AppData\Local\PDFInstaller

Jump to behavior

Source: C:\Users\user\Desktop\DocuFlex.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_03

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Local\PDFInstaller\chrome-profile\Default\Web Applications\Temp\scoped_dir3920_603076646

Jump to behavior

Source: DocuFlex.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: DocuFlex.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.91%

Source: C:\Users\user\Desktop\DocuFlex.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DocuFlex.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DocuFlex.exe "C:\Users\user\Desktop\DocuFlex.exe"
Source: C:\Users\user\Desktop\DocuFlex.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: C:\Users\user\Desktop\DocuFlex.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b node .
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\PDFInstaller\node.exe node .
Source: C:\Users\user\Desktop\DocuFlex.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c schtasks /create /tn "PDF" /xml "C:\Users\user\AppData\Local\PDFInstaller\task.xml" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "PDF" /xml "C:\Users\user\AppData\Local\PDFInstaller\task.xml" /f
Source: C:\Users\user\Desktop\DocuFlex.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --hide-crash-restore-bubble --restore-last-session --new-window "? starttt"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 --field-trial-handle=1948,i,11845434080885918371,8269590411636599663,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "clipboard.exe --paste"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\PDFInstaller\clipboard.exe clipboard.exe --paste
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "clipboard.exe --copy"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\PDFInstaller\clipboard.exe clipboard.exe --copy
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --new-window --user-data-dir=C:\Users\user\AppData\Local\PDFInstaller\chrome-profile --start-maximized --app=http://localhost:56097
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Local\PDFInstaller\chrome-profile" --mojo-platform-channel-handle=2184 --field-trial-handle=2028,i,5394899628148401723,17653549358450679821,262144 /prefetch:8
Source: C:\Users\user\Desktop\DocuFlex.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b node .	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --hide-crash-restore-bubble --restore-last-session --new-window "? starttt"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\PDFInstaller\node.exe node .	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "clipboard.exe --paste"	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "clipboard.exe --copy"	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --new-window --user-data-dir=C:\Users\user\AppData\Local\PDFInstaller\chrome-profile --start-maximized --app=http://localhost:56097	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "PDF" /xml "C:\Users\user\AppData\Local\PDFInstaller\task.xml" /f	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 --field-trial-handle=1948,i,11845434080885918371,8269590411636599663,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\PDFInstaller\clipboard.exe clipboard.exe --paste	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\PDFInstaller\clipboard.exe clipboard.exe --copy	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Local\PDFInstaller\chrome-profile" --mojo-platform-channel-handle=2184 --field-trial-handle=2028,i,5394899628148401723,17653549358450679821,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\clipboard.exe	Section loaded: apphelp.dll	Jump to behavior

Source: C:\Users\user\Desktop\DocuFlex.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32

Jump to behavior

Source: DocuFlex.lnk.0.dr	LNK file: ..\AppData\Local\PDFInstaller\viewer.vbs
Source: Google Drive.lnk.16.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.16.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.16.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.16.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.16.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.16.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

PE / OLE file has a valid certificate

Source: DocuFlex.exe

Static PE information: certificate valid

PE file contains a COM descriptor data directory

Source: DocuFlex.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

PE file has a big code size

Source: DocuFlex.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Submission file is bigger than most known malware samples

Source: DocuFlex.exe

Static file information: File size 89507752 > 1048576

PE file has a big raw section

Source: DocuFlex.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x553e600

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: DocuFlex.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: DocuFlex.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: c:\ws\out\Release\node.pdb! source: DocuFlex.exe, 00000000.00000000.1168081456.0000000005985000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\ws\out\Release\node.pdb source: DocuFlex.exe, 00000000.00000000.1168081456.0000000005985000.00000002.00000001.01000000.00000003.sdmp

Data Obfuscation

Source: DocuFlex.exe

Static PE information: 0x9B9B27E4 [Sun Sep 22 16:52:52 2052 UTC]

Source: node.exe.0.dr	Static PE information: section name: _RDATA
Source: clipboard_i686.exe.0.dr	Static PE information: section name: /4
Source: clipboard_i686.exe.0.dr	Static PE information: section name: /14
Source: clipboard_i686.exe.0.dr	Static PE information: section name: /29
Source: clipboard_i686.exe.0.dr	Static PE information: section name: /41
Source: clipboard_i686.exe.0.dr	Static PE information: section name: /55
Source: clipboard_i686.exe.0.dr	Static PE information: section name: /67
Source: clipboard_i686.exe.0.dr	Static PE information: section name: /78
Source: clipboard_i686.exe.0.dr	Static PE information: section name: /89
Source: clipboard_x86_64.exe.0.dr	Static PE information: section name: .xdata
Source: clipboard_x86_64.exe.0.dr	Static PE information: section name: /4
Source: clipboard_x86_64.exe.0.dr	Static PE information: section name: /19
Source: clipboard_x86_64.exe.0.dr	Static PE information: section name: /31
Source: clipboard_x86_64.exe.0.dr	Static PE information: section name: /45
Source: clipboard.exe.0.dr	Static PE information: section name: /4
Source: clipboard.exe.0.dr	Static PE information: section name: /14
Source: clipboard.exe.0.dr	Static PE information: section name: /29
Source: clipboard.exe.0.dr	Static PE information: section name: /41
Source: clipboard.exe.0.dr	Static PE information: section name: /55
Source: clipboard.exe.0.dr	Static PE information: section name: /67
Source: clipboard.exe.0.dr	Static PE information: section name: /78
Source: clipboard.exe.0.dr	Static PE information: section name: /89

Source: C:\Users\user\Desktop\DocuFlex.exe	Code function: 0_2_10A136D4 push ebx; iretd	0_2_10A136DA
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Code function: 11_2_00007FF6B610C240 push eax; ret	11_2_00007FF6B610C241
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Code function: 11_2_00007FF6B610AF07 push ecx; ret	11_2_00007FF6B610AF08

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\DocuFlex.exe	File created: C:\Users\user\AppData\Local\PDFInstaller\node_modules\clipboardy\fallbacks\windows\clipboard_x86_64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\DocuFlex.exe	File created: C:\Users\user\AppData\Local\PDFInstaller\node_modules\clipboardy\fallbacks\windows\clipboard_i686.exe	Jump to dropped file
Source: C:\Users\user\Desktop\DocuFlex.exe	File created: C:\Users\user\AppData\Local\PDFInstaller\clipboard.exe	Jump to dropped file
Source: C:\Users\user\Desktop\DocuFlex.exe	File created: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Local\PDFInstaller\chrome-profile\Default\Cache\Cache_Data\f_000004

Jump to dropped file

Creates license or readme file

Source: C:\Users\user\Desktop\DocuFlex.exe

File created: C:\Users\user\AppData\Local\PDFInstaller\node_modules\signal_exit\LICENSE.txt

Jump to behavior

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "PDF" /xml "C:\Users\user\AppData\Local\PDFInstaller\task.xml" /f

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\DocuFlex.exe	Memory allocated: 68C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Memory allocated: 82F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Memory allocated: A2F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\DocuFlex.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Thread delayed: delay time: 599173	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Thread delayed: delay time: 599061	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Thread delayed: delay time: 598949	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Thread delayed: delay time: 598835	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Thread delayed: delay time: 598727	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Thread delayed: delay time: 598615	Jump to behavior

Source: C:\Users\user\Desktop\DocuFlex.exe	Window / User API: threadDelayed 8920			Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Window / User API: threadDelayed 990			Jump to behavior

Source: C:\Users\user\Desktop\DocuFlex.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\PDFInstaller\node_modules\clipboardy\fallbacks\windows\clipboard_x86_64.exe

Jump to dropped file

Source: C:\Users\user\Desktop\DocuFlex.exe TID: 3928	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe TID: 3928	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe TID: 3928	Thread sleep time: -99888s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe TID: 3928	Thread sleep time: -99776s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe TID: 3928	Thread sleep time: -99665s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe TID: 3928	Thread sleep time: -99553s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe TID: 3928	Thread sleep time: -99427s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe TID: 3928	Thread sleep time: -99301s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe TID: 3928	Thread sleep time: -599173s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe TID: 3928	Thread sleep time: -599061s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe TID: 3928	Thread sleep time: -598949s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe TID: 3928	Thread sleep time: -598835s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe TID: 3928	Thread sleep time: -598727s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe TID: 3928	Thread sleep time: -598615s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\DocuFlex.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Thread delayed: delay time: 99888	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Thread delayed: delay time: 99776	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Thread delayed: delay time: 99665	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Thread delayed: delay time: 99553	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Thread delayed: delay time: 99427	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Thread delayed: delay time: 99301	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Thread delayed: delay time: 599173	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Thread delayed: delay time: 599061	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Thread delayed: delay time: 598949	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Thread delayed: delay time: 598835	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Thread delayed: delay time: 598727	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Thread delayed: delay time: 598615	Jump to behavior

Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: bCK1sK9IRQq9qEmUv4RDsNuESgMjGWdqb8FuvAY5N9GIIvejQjBAMA8GA1UdEwEB/wQFMAMB
Source: DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: lgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4zJVSk/BwJVmcIGfE
Source: DocuFlex.exe, 00000000.00000002.1622751939.00000000062F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\DocuFlex.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Users\user\Desktop\DocuFlex.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\DocuFlex.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\DocuFlex.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b node .	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --hide-crash-restore-bubble --restore-last-session --new-window "? starttt"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\PDFInstaller\node.exe node .	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "clipboard.exe --paste"	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "clipboard.exe --copy"	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --new-window --user-data-dir=C:\Users\user\AppData\Local\PDFInstaller\chrome-profile --start-maximized --app=http://localhost:56097	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "PDF" /xml "C:\Users\user\AppData\Local\PDFInstaller\task.xml" /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\PDFInstaller\clipboard.exe clipboard.exe --paste	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\PDFInstaller\clipboard.exe clipboard.exe --copy	Jump to behavior

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Users\user\Desktop\DocuFlex.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\userbrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\userbrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\userbrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\userbriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\userFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\userFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\userFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\userST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\userSTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\userSTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\userSTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DocuFlex.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Queries volume information: C:\Users\user\AppData\Local\PDFInstaller VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Queries volume information: C:\Users\user\AppData\Local\PDFInstaller\index.js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Queries volume information: C:\Users\user VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Queries volume information: C:\Users\user\AppData\Local\PDFInstaller\data\index.html VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Queries volume information: C:\Users\user\AppData\Local\PDFInstaller\data\build\pdf.mjs VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Queries volume information: C:\Users\user\AppData\Local\PDFInstaller\data\web\viewer.css VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Queries volume information: C:\Users\user\AppData\Local\PDFInstaller\data\welcome.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Queries volume information: C:\Users\user\AppData\Local\PDFInstaller\data\web\viewer.mjs VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Queries volume information: C:\Users\user\AppData\Local\PDFInstaller\data\web\images\toolbarButton-viewThumbnail.svg VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Queries volume information: C:\Users\user\AppData\Local\PDFInstaller\data\web\images\toolbarButton-viewOutline.svg VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Queries volume information: C:\Users\user\AppData\Local\PDFInstaller\data\web\images\toolbarButton-viewAttachments.svg VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Queries volume information: C:\Users\user\AppData\Local\PDFInstaller\data\web\images\toolbarButton-viewLayers.svg VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Queries volume information: C:\Users\user\AppData\Local\PDFInstaller\data\web\images\toolbarButton-pageDown.svg VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Queries volume information: C:\Users\user\AppData\Local\PDFInstaller\data\web\images\toolbarButton-editorStamp.svg VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Queries volume information: C:\Users\user\AppData\Local\PDFInstaller\data\web\images\toolbarButton-editorFreeText.svg VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Queries volume information: C:\Users\user\AppData\Local\PDFInstaller\data\web\images\toolbarButton-download.svg VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Queries volume information: C:\Users\user\AppData\Local\PDFInstaller\data\web\images\toolbarButton-zoomOut.svg VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Queries volume information: C:\Users\user\AppData\Local\PDFInstaller\data\web\images\toolbarButton-print.svg VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Queries volume information: C:\Users\user\AppData\Local\PDFInstaller\data\web\images\toolbarButton-editorHighlight.svg VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Queries volume information: C:\Users\user\AppData\Local\PDFInstaller\data\web\images\toolbarButton-editorInk.svg VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Queries volume information: C:\Users\user\AppData\Local\PDFInstaller\data\web\images\toolbarButton-secondaryToolbarToggle.svg VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Queries volume information: C:\Users\user\AppData\Local\PDFInstaller\data\web\images\toolbarButton-menuArrow.svg VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Queries volume information: C:\Users\user\AppData\Local\PDFInstaller\data\web\images\toolbarButton-zoomIn.svg VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Queries volume information: C:\Users\user\AppData\Local\PDFInstaller\data\web\images\toolbarButton-sidebarToggle.svg VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Queries volume information: C:\Users\user\AppData\Local\PDFInstaller\data\web\images\toolbarButton-search.svg VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\PDFInstaller\node.exe	Queries volume information: C:\Users\user\AppData\Local\PDFInstaller\data\web\images\toolbarButton-pageUp.svg VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\DocuFlex.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Spearphishing Link	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	11 Masquerading	1 Input Capture	1 Security Software Discovery	Remote Services	1 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DocuFlex.exe	3%	Virustotal		Browse
DocuFlex.exe	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\PDFInstaller\clipboard.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\PDFInstaller\node.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\PDFInstaller\node_modules\bin.is-docker	0%	ReversingLabs
C:\Users\user\AppData\Local\PDFInstaller\node_modules\bin.is-inside-container	0%	ReversingLabs
C:\Users\user\AppData\Local\PDFInstaller\node_modules\bin.node-which	0%	ReversingLabs
C:\Users\user\AppData\Local\PDFInstaller\node_modules\bin\is-docker.ps1	0%	ReversingLabs
C:\Users\user\AppData\Local\PDFInstaller\node_modules\bin\is-inside-container.ps1	0%	ReversingLabs
C:\Users\user\AppData\Local\PDFInstaller\node_modules\bin\node-which.ps1	0%	ReversingLabs
C:\Users\user\AppData\Local\PDFInstaller\node_modules\clipboardy\fallbacks\linux.xsel	0%	ReversingLabs
C:\Users\user\AppData\Local\PDFInstaller\node_modules\clipboardy\fallbacks\windows\clipboard_i686.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\PDFInstaller\node_modules\clipboardy\fallbacks\windows\clipboard_x86_64.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\PDFInstaller\node_modules\is_docker\cli.js	0%	ReversingLabs
C:\Users\user\AppData\Local\PDFInstaller\node_modules\is_inside_container\cli.js	0%	ReversingLabs
C:\Users\user\AppData\Local\PDFInstaller\node_modules\which\bin.node-which	0%	ReversingLabs

Source	Detection	Scanner	Label
https://fetch.spec.whatwg.org/#requestcache	0%	Avira URL Cloud	safe
https://w3c.github.io/webappsec-referrer-policy/#referrer-policy	0%	Avira URL Cloud	safe
https://fetch.spec.whatwg.org/#dom-response	0%	Avira URL Cloud	safe
https://tc39.es/ecma262/#prod-ClassStringDisjunctionContents	0%	Avira URL Cloud	safe
https://fetch.spec.whatwg.org/#concept-header-list-delete	0%	Avira URL Cloud	safe
https://fetch.spec.whatwg.org/#header-list-contains	0%	Avira URL Cloud	safe
https://tc39.es/ecma262/#prod-ClassUnion	0%	Avira URL Cloud	safe
https://tc39.es/ecma262/#prod-ClassSetRange	0%	Avira URL Cloud	safe
https://tc39.es/ecma262/#prod-ClassSetSyntaxCharacter	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
plus.l.google.com	142.250.185.78	true	false	high
i.ytimg.com	216.58.206.54	true	false	high
static.doubleclick.net	142.250.185.198	true	false	high
youtube-ui.l.google.com	142.250.184.206	true	false	high
play.google.com	142.250.185.238	true	false	high
googleads.g.doubleclick.net	142.250.186.66	true	false	high
www3.l.google.com	142.250.185.110	true	false	high
dns-tunnel-check.googlezip.net	216.239.34.159	true	false	high
tunnel.googlezip.net	216.239.34.157	true	false	high
id.google.com	142.251.34.3	true	false	high
www.google.com	142.250.185.164	true	false	high
googlehosted.l.googleusercontent.com	216.58.206.33	true	false	high
docu-flex.com	188.114.96.3	true	false	high
clients2.googleusercontent.com	unknown	unknown	false	high
chrome.google.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
apis.google.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://www.google.com/xjs/_/js/k=xjs.s.en.rVvGaTzUuak.2018.O/am=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAARQAAKAAAAAAAAAAJAAIAAAAAAAAACABAAAAAAAAAEBQACChAAABAAAAAAAJgAAAAIWAAEDAAAAAAAAACAAAAAAgQgA-_2HAwAAAAAAAAAAAAAIQAIAAAAAAABcAAAI8CHYAwIAAACAAAAAAIAAAAAAAEAAAACAAgAAAAAAAAAABAAAAAAAAAEAAAAgAAD0AQAAAAAAAAAAAAAACAAAAAAAgAFQAAAB_AAAAAAAAAAOAAAACBAAAACOgQEIAAAAAAAAwB4AHg8IhxQWAAAAAAAAAAAAAAAAgAAkCOZA-gsCEAAAAAAAAAAAAAAAAAAAAFIETVzeAIA/d=0/dg=0/br=1/rs=ACT90oEb5gFabjsgECjDfOsDNg-rPiA7_Q/m=Ko78Df?xjs=s4	false	high
https://www.google.com/gen_204?atyp=i&ei=Wxm1Z82XGIWilQe77s3oDQ&dt19=2&prm23=0&zx=1739921759649&opi=89978449	false	high
https://www.google.com/favicon.ico	false	high
https://www.google.com/gen_204?atyp=csi&ei=Yhm1Z-qPDJTo7_UPjoTHuQs&s=async&astyp=vpkg&ima=0&imn=0&mem=ujhs.14,tjhs.19,jhsl.2173,dm.8&nv=ne.1,feid.a05b6882-d4bb-4924-8e87-c1ae9c0429eb&hp=&rt=ttfb.1356,st.1628,bs.107100,aaft.1630,acrt.1630,art.1630&zx=1739921761325&opi=89978449	false	high
https://www.google.com/gen_204?atyp=i&ei=Wxm1Z82XGIWilQe77s3oDQ&ct=slh&v=t1&m=HV&aqid=Wxm1Z7nAHIDGjuwP88ruIQ&pv=0.9982937533289784&me=1:1739921754534,V,0,0,1034,870:0,B,2596:0,N,1,Wxm1Z82XGIWilQe77s3oDQ:0,R,1,8,28,36,92,33:0,R,1,CAsQAA,28,88,861,57:0,R,1,CAsQAQ,28,88,841,45:0,R,1,CBIQAA,18,88,36,45:0,R,1,CBIQAQ,18,102,36,31:0,R,1,CBEQAA,56,90,66,42:0,R,1,CBEQAQ,56,90,66,42:0,R,1,CBAQAA,123,90,63,42:0,R,1,CBAQAQ,123,90,63,42:0,R,1,CA8QAA,188,90,79,42:0,R,1,CA8QAQ,188,90,79,42:0,R,1,CA4QAA,269,90,55,42:0,R,1,CA4QAQ,269,90,55,42:0,R,1,CA0QAA,326,90,54,42:0,R,1,CA0QAQ,326,90,54,42:0,R,1,CAwQAA,382,90,67,42:0,R,1,CAwQAQ,382,90,67,42:0,R,1,CAQQBw,28,188,652,2131:0,R,1,CCQQAA,28,188,652,354:0,R,1,CBsQAA,28,240,204,242:0,R,1,CBoQAA,252,240,204,242:0,R,1,CBwQAA,476,240,204,242:0,R,1,CCQQCA,28,506,652,36:0,R,1,CCMQAA,28,586,652,117:0,R,1,CB4QAA,28,733,652,95:0,R,1,CCEQAA,28,857,652,117:2209,x:35917,e,B&zx=1739921792661&opi=89978449	false	high
https://www.google.com/gen_204?atyp=i&ei=Wxm1Z82XGIWilQe77s3oDQ&vet=12ahUKEwiNsavRsc6LAxUFUeUKHTt3E90QuqMJegQIBxAA..s&bl=NndY&s=web&lpl=CAUYATAPOANiCAgFEIDcsuoC&zx=1739921759730&opi=89978449	false	high
https://www.google.com/xjs/_/js/k=xjs.s.en.rVvGaTzUuak.2018.O/am=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAARQAAKAAAAAAAAAAJAAIAAAAAAAAACABAAAAAAAAAEBQACChAAABAAAAAAAJgAAAAIWAAEDAAAAAAAAACAAAAAAgQgA-_2HAwAAAAAAAAAAAAAIQAIAAAAAAABcAAAI8CHYAwIAAACAAAAAAIAAAAAAAEAAAACAAgAAAAAAAAAABAAAAAAAAAEAAAAgAAD0AQAAAAAAAAAAAAAACAAAAAAAgAFQAAAB_AAAAAAAAAAOAAAACBAAAACOgQEIAAAAAAAAwB4AHg8IhxQWAAAAAAAAAAAAAAAAgAAkCOZA-gsCEAAAAAAAAAAAAAAAAAAAAFIETVzeAIA/d=0/dg=0/br=1/rs=ACT90oEb5gFabjsgECjDfOsDNg-rPiA7_Q/m=sy2aa,P10Owf,sy1pl,sy1ou,WlNQGd,sy4k3,sy4in,nabPbb,sy1ot,sy1or,symz,sy1ng,CnSW2d,sy81j,sy5o6,sy1i6,syzi,syzg,syzh,sy1ps,sy1pq,VD4Qme,syhu,BYwJlf,sy19b,sy198,sy197,VEbNoe,syvy,UBXHI,sy18h,sy18g,Dq2Yjb,sy18k,sy18j,sy18i,NVlnE,sy17w,sy17v,qmdEUe,sy18m,sy18l,sy186,UqGwg,sy1re,fiAufb,sy1rd,sy1rc,q00IXe,sy1ri,sy1rh,sy1rf,Fh0l0,sy4cz,qcH9Lc,sy4c4,sy4ce,gCngrf,pjDTFb,sy4cn,sy2qo,KgxeNb,sy4cj,khkNpe?xjs=s4	false	high
https://www.google.com/xjs/_/js/k=xjs.s.en.rVvGaTzUuak.2018.O/am=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAARQAAKAAAAAAAAAAJAAIAAAAAAAAACABAAAAAAAAAEBQACChAAABAAAAAAAJgAAAAIWAAEDAAAAAAAAACAAAAAAgQgA-_2HAwAAAAAAAAAAAAAIQAIAAAAAAABcAAAI8CHYAwIAAACAAAAAAIAAAAAAAEAAAACAAgAAAAAAAAAABAAAAAAAAAEAAAAgAAD0AQAAAAAAAAAAAAAACAAAAAAAgAFQAAAB_AAAAAAAAAAOAAAACBAAAACOgQEIAAAAAAAAwB4AHg8IhxQWAAAAAAAAAAAAAAAAgAAkCOZA-gsCEAAAAAAAAAAAAAAAAAAAAFIETVzeAIA/d=0/dg=0/br=1/rs=ACT90oEb5gFabjsgECjDfOsDNg-rPiA7_Q/m=I46Hvd?xjs=s4	false	high
https://www.google.com/xjs/_/js/k=xjs.s.en.rVvGaTzUuak.2018.O/ck=xjs.s.J-afBL40dv0.L.B1.O/am=AOIQIAQAAAACAABACAAVAAQAAAAAAAAAAAAAAAAAAAAAAAAASAAAAIAAAQAAAAAAgAAAAARRAAKAlEkAAAAAgpMCIMAOAAAAAB-ARJwKgAAAAAEBQACChAAABAAEAAIAJoQAAAIWAAEDQBAAAAACACwAACAAgQgA-_2PAwMAMAAAAAAIAEIIQgIQABgAAAdcAEgI8CHYAxIAsBCEAGAAAIAAAAAKwEMwDICgAmAARwABAACADAAAAAAAAgGEAABgAFD0AQQIAAB6AAjABwAgCSIAQAgAgAFQCAAJ_AAAASAAAACOIBAACBBaAACOgQEIAAAAAAAAwB4AHg8IhxQWAAAAAAAAAAAAAAAAgAAkCOZA-gsCEAAAAAAAAAAAAAAAAAAAAFIETVzeAIA/d=0/dg=0/br=1/ujg=1/rs=ACT90oGKARqzuXTr1-twHgnDnoV1cean1Q/m=UMk45c,bplExb,nMfLA,O19q8,xMHx5e,R6UkWb,tW711b,UX8qee,tDA9G,sy4t0,syz1,syyz,sy14s,syzf,syyy,syze,syz2,syz3,sy3ax,sy3ay,sy3az,sy30r,sy12q,sy2v1,syr7,sy2uy,sy2uv,sy16e,sy14p,sy14q,sy14r,sy3if,sy19a,sy14o,sy139,sy13a,sy137,sy135,sy3b0,sy30p,sy199,sy155,sy154,sy14e,sy156,sy13s,sy13q,sy14d,Eox39d,sy80,sy7z,syip,syil,syim,syik,syiy,syiw,syiv,syiu,syiq,syij,syc9,syee,syef,sycb,sycq,syci,sycn,sycm,sycl,syck,sych,syc6,sycf,sycg,syco,syct,sycr,sycc,syc1,syca,syc7,sycu,syc5,sybv,sybs,sybd,syb0,sybp,syag,syd7,syb1,syeh,syec,sye0,sye4,sydv,sydu,sydp,sydn,syaf,syae,sydo,sydl,sydk,sydt,sydq,sydi,sydh,sydg,syde,sydd,sydf,syda,syd9,syat,syd6,sybm,sybi,syb2,sybg,syb5,syb4,sybc,syba,syb9,syb3,syai,sya6,sydb,sycx,sycy,sycz,sybu,syby,sydr,syi9,syii,syie,syif,sy8w,sy8s,sy8v,syib,syge,syig,syia,syi8,syi5,syi4,syi3,syi1,sy8z,uxMpU,syht,syer,sydx,syen,syep,syei,syeq,syek,sybx,syd0,syel,syed,sy9m,sy9h,sy9g,sy9f,sy9e,Mlhmy,QGR0gd,OTA3Ae,sy81,EEDORb,PoEs9b,Pjplud,sy9a,sy96,sy94,A1yn5d,YIZmRd,uY49fb,sy8p,sy8n,sy8o,sy8m,sy8k,byfTOb,lsjVmc,LEikZe,kWgXee,ovKuLd,sgY6Zb,sy9s,sy9q,sy8y,xUdipf,NwH0H?xjs=s3	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://nodejs.org/api/v8.html#v8_v8_serialize_value)	DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.0000000008829000.00000004.00000800.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc6455#section-1.3	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://www.ecma-international.org/ecma-262/8.0/#sec-atomescape	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://www.ecma-international.org/ecma-262/8.0/#prod-Atom	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
http://www.fontbureau.com/designers	DocuFlex.exe, 00000000.00000002.1668733388.000000000C452000.00000004.00000800.00020000.00000000.sdmp	false		high
https://console.spec.whatwg.org/#table	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://github.com/moxystudio/node-cross-spawn	DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	false		high
https://registry.npmjs.org/onetime/-/onetime-6.0.0.tgz	DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	false		high
https://github.com/moxystudio/node-cross-spawn/issues/82)	DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	false		high
https://encoding.spec.whatwg.org/#textencoder	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://fetch.spec.whatwg.org/#dom-response	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://nodejs.org/api/webstreams.html#streamconsumersbufferstream)	DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	false		high
https://tc39.es/ecma262/#prod-ClassStringDisjunctionContents	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/tc39/proposal-weakrefs	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://goo.gl/t5IS6M).	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://nodejs.org/api/stream.html#readablepipedestination-options)	DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.0000000008829000.00000004.00000800.00020000.00000000.sdmp	false		high
https://tc39.es/ecma262/#prod-ClassSetRange	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Assertion	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
http://www.galapagosdesign.com/DPlease	DocuFlex.exe, 00000000.00000002.1668733388.000000000C452000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/nodejs/node/issues/44985	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.js	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://nodejs.org/api/webstreams.html#streamconsumerstextstream)	DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	false		high
https://url.spec.whatwg.org/#concept-urlencoded-serializer	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://url.spec.whatwg.org/#dom-urlsearchparams-urlsearchparams	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://wiki.squid-cache.org/SquidFaq/InnerWorkings#What_is_a_half-closed_filedescriptor.3F	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://github.com/ehmicky/get-node)	DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.0000000008829000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nodejs.org/api/fs.html	DocuFlex.exe, 00000000.00000000.1168081456.00000000051A4000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://developer.mozilla.org/en-US/docs/Web/API/Clipboard_API#Browser_compatibility).	DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	false		high
https://codecov.io/gh/ehmicky/human-signals)	DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	false		high
https://github.com/nodejs/node/pull/21313	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
http://www.ascendercorp.com/	DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	false		high
https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRanges	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
http://www.midnight-commander.org/browser/lib/tty/key.c	DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://nodejs.org/	DocuFlex.exe, 00000000.00000000.1168081456.00000000051A4000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://tools.ietf.org/html/rfc7540#section-8.1.2.5	DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://www.ecma-international.org/ecma-262/8.0/#prod-Hex4Digits	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
http://www.squid-cache.org/Doc/config/half_closed_clients/	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalEscape	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassControlLetter	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://transloadit.com?utm_source=sindresorhus&utm_medium=referral&utm_campaign=sponsorship&utm_con	DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	false		high
https://tc39.es/ecma262/#sec-timeclip	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://nodejs.org/api/process.html#processarch)	DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	false		high
https://github.com/nodejs/node/pull/33661	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
http://narwhaljs.org)	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://github.com/sindresorhus/into-stream)	DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	false		high
https://github.com/WICG/scheduling-apis	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://github.com/nodejs/node/pull/48477#issuecomment-1604586650	DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://code.google.com/p/chromium/issues/detail?id=25916	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://fetch.spec.whatwg.org/#concept-header-list-delete	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://webidl.spec.whatwg.org/#abstract-opdef-converttoint	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://fetch.spec.whatwg.org/#fetch-timing-info	DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://nodejs.org/dist/latest-v6.x/docs/api/child_process.html#child_process_options_stdio).	DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.0000000008829000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/nodejs/node/pull/12607	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://github.com/sindresorhus/win-clipboard).	DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	false		high
https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope.	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://www.ecma-international.org/ecma-262/#sec-line-terminators	DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://w3c.github.io/webappsec-referrer-policy/#referrer-policy	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://fetch.spec.whatwg.org/#requestcache	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://fetch.spec.whatwg.org/#header-list-contains	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://medium.com/	DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	false		high
http://html4/loose.dtd	DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	false		high
http://www.founder.com.cn/cn/bThe	DocuFlex.exe, 00000000.00000002.1668733388.000000000C452000.00000004.00000800.00020000.00000000.sdmp	false		high
https://tc39.es/ecma262/#prod-ClassSetSyntaxCharacter	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://tc39.es/ecma262/#prod-ClassUnion	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.unicode.org/copyright.html	DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.000000000477E000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.0000000004769000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.0000000003874000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.00000000047A4000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.0000000004274000.00000002.00000001.01000000.00000003.sdmp	false		high
https://nodejs.org/api/process.html#process_signal_events).	DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	false		high
https://nodejs.org/api/stream.html#stream_class_stream_readable).	DocuFlex.exe, 00000000.00000002.1632147933.00000000088B1000.00000004.00000800.00020000.00000000.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.00000000088C9000.00000004.00000800.00020000.00000000.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	false		high
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedAtom	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://heycam.github.io/webidl/#es-iterable-entries	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://heycam.github.io/webidl/#es-interfaces	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://nodejs.org/api/process.html#process_signal_events)	DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000002.1632147933.0000000008829000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/isaacs/isexe.git	DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	false		high
https://github.com/nodejs/node/issues	DocuFlex.exe, 00000000.00000000.1168081456.00000000051A4000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigits	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://github.com/denoland/deno/blob/main/LICENSE.md.	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://encoding.spec.whatwg.org/#encode-and-enqueue-a-chunk	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://tc39.github.io/ecma262/#sec-object.prototype.tostring	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://url.spec.whatwg.org/#urlsearchparams	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://crbug.com/v8/8520	DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://github.com/sponsors/isaacs	DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	false		high
https://nodejs.org/download/release/v20.12.2/node-v20.12.2-headers.tar.gz	DocuFlex.exe, 00000000.00000000.1168081456.00000000051A4000.00000002.00000001.01000000.00000003.sdmp, DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://infra.spec.whatwg.org/#ascii-whitespace	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://github.com/moxystudio/node-cross-spawn/actions/workflows/ci.yaml/badge.svg	DocuFlex.exe, 00000000.00000000.1168081456.0000000001302000.00000002.00000001.01000000.00000003.sdmp	false		high
https://www.rfc-editor.org/rfc/rfc9110#section-5.2	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://streams.spec.whatwg.org/#example-manual-write-with-backpressure	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://github.com/nodejs/node/pull/30380#issuecomment-552948364	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#dom-setinterval	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://heycam.github.io/webidl/#dfn-iterator-prototype-object	DocuFlex.exe, 00000000.00000000.1168081456.0000000002A7A000.00000002.00000001.01000000.00000003.sdmp	false		high
http://.jpg	DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://datatracker.ietf.org/doc/html/rfc7238	DocuFlex.exe, 00000000.00000000.1168081456.000000000347A000.00000002.00000001.01000000.00000003.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
216.58.206.33	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
216.58.206.54	i.ytimg.com	United States	15169	GOOGLEUS	false
142.250.185.164	www.google.com	United States	15169	GOOGLEUS	false
142.251.34.3	id.google.com	United States	15169	GOOGLEUS	false
216.58.212.132	unknown	United States	15169	GOOGLEUS	false
142.250.185.198	static.doubleclick.net	United States	15169	GOOGLEUS	false
142.250.185.110	www3.l.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
188.114.96.3	docu-flex.com	European Union	13335	CLOUDFLARENETUS	false
172.217.18.22	unknown	United States	15169	GOOGLEUS	false
142.250.186.66	googleads.g.doubleclick.net	United States	15169	GOOGLEUS	false
216.239.34.157	tunnel.googlezip.net	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.16
192.168.2.5
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1618576
Start date and time:	2025-02-19 00:34:42 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DocuFlex.exe
Detection:	MAL
Classification:	mal42.winEXE@85/920@34/15
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 96% Number of executed functions: 135 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 142.250.186.99, 108.177.15.84, 142.250.185.206, 142.250.185.67, 142.250.181.227, 142.250.186.35, 142.250.186.130, 142.250.186.106, 172.217.16.202, 142.250.185.202, 142.250.181.234, 142.250.186.42, 142.250.185.138, 142.250.186.74, 216.58.206.42, 142.250.184.234, 216.58.206.74, 142.250.185.234, 142.250.186.170, 142.250.185.170, 142.250.186.138, 172.217.18.10, 142.250.184.202, 172.217.18.106, 172.217.23.106, 142.250.185.106, 216.58.212.170, 142.250.185.74, 142.250.185.174, 142.250.185.99, 173.194.76.84, 216.58.212.138, 172.217.16.138, 142.250.74.202, 142.250.186.131, 216.58.206.67, 142.250.184.238, 142.250.186.46, 142.250.185.78, 142.250.186.174, 142.250.181.238, 142.250.186.142, 216.58.206.78, 142.250.186.78, 142.250.185.238, 142.250.184.206, 216.58.212.174, 142.250.185.142, 142.250.186.110, 172.217.16.206, 2.19.106.160, 172.202.163.200, 13.107.246.45
Excluded domains from analysis (whitelisted): www.googleadservices.com, slscr.update.microsoft.com, clientservices.googleapis.com, clients2.google.com, redirector.gvt1.com, ocsps.ssl.com, update.googleapis.com, www.gstatic.com, optimizationguide-pa.googleapis.com, clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, otelrules.azureedge.net, fonts.gstatic.com, encrypted-tbn0.gstatic.com, ctldl.windowsupdate.com, ogads-pa.googleapis.com, encrypted-tbn2.gstatic.com, encrypted-tbn3.gstatic.com, www.googleapis.com, jnn-pa.googleapis.com, encrypted-tbn1.gstatic.com, fe3cr.delivery.mp.microsoft.com, edgedl.me.gvt1.com, clients.l.google.com
Execution Graph export aborted for target node.exe, PID 2660 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
18:35:12	API Interceptor	1x Sleep call for process: dllhost.exe modified
18:35:36	API Interceptor	162x Sleep call for process: DocuFlex.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
239.255.255.250	http://iunkxaqoin.com/	Get hash	malicious	Unknown	Browse
	http://www.pagina.pro/help-facebook-support-business-authentication-accountscenter-checkpoint-next/	Get hash	malicious	Unknown	Browse
	https://u.to/04nrIQ	Get hash	malicious	Unknown	Browse
	http://krakenen-login.gitbook.io/	Get hash	malicious	Unknown	Browse
	https://sltreanmcommnunlty.com/nurka/kisloy/efotr	Get hash	malicious	Unknown	Browse
	https://boullilounniya-8678.vercel.app/mpn.kidgl/	Get hash	malicious	HTMLPhisher	Browse
	https://securitydigitalimpact.vercel.app/3ae&25&93cf6=5a&1eGK9d0xe13da4b=D400e	Get hash	malicious	HTMLPhisher	Browse
	https://unlawfulcontentdigitalhype.vercel.app/submit&	Get hash	malicious	HTMLPhisher	Browse
	http://www.zyry.sk/wp-admin/maint/connexion/espace-client/password	Get hash	malicious	Unknown	Browse
	https://cdn.trytraffics.com/rdr/YWE9Mzc4MjA0NTU0JnNlaT0zMDQ1MjM1NCZ0az13alE4Mkd0TzB3NWZSR1VsSnB1TSZ0PTUmYz05MGFzODc2ZmQ4OWFzNWZnOGEwOXM=	Get hash	malicious	Unknown	Browse
188.114.96.3	laser (2).ps1	Get hash	malicious	FormBook	Browse	www.nmw365.xyz/d3qr/
	ZmK1CAc4VP.exe	Get hash	malicious	FormBook	Browse	www.adventurerepair24.live/qr1m/
	UPDATED SOA.pdf.exe	Get hash	malicious	FormBook	Browse	www.timeinsardinia.info/fxnj/
	PO# 81136575.exe	Get hash	malicious	FormBook	Browse	www.kdjsswzx.club/65bl/
	http://ctakkponmndiri.siitusressmi.web.id/	Get hash	malicious	Unknown	Browse	ctakkponmndiri.siitusressmi.web.id/favicon.png
	http://facebooksupports.tempisite.com/ils972/	Get hash	malicious	Unknown	Browse	facebooksupports.tempisite.com/favicon.ico
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	Azorult	Browse	gdm5.icu/HL341/index.php
	BIS_MT103 101T000000121121.exe	Get hash	malicious	FormBook	Browse	www.actpisalnplay.cyou/vywx/
	new quotation.exe	Get hash	malicious	FormBook	Browse	www.timeinsardinia.info/a84t/
	payment transfer form.exe	Get hash	malicious	FormBook	Browse	www.timeinsardinia.info/a84t/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
dns-tunnel-check.googlezip.net	justificante.rar	Get hash	malicious	Unknown	Browse	216.239.34.159
	https://github.com/Berusol/Xeno-Executor/releases/download/Setup/Xeno.Roblox.rar	Get hash	malicious	LummaC Stealer, PureLog Stealer, Xmrig, zgRAT	Browse	216.239.34.159
	http://%5B%22https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Femail.bcbssettlement.com%2Fc%2FeJxkzL1OwzAQAOCnscfIPv9m8IAgERVqQRTm6OxcVaPERcnB87Owdf_0zclG8M5JSjqY2Gvd91FekzYqO3LxgkXb4rxykA1hCME4F0KRNYECp0AFFZQ3sQNvvLUzImU7a62FVbnkfSfmhVZq3JXbKpd0Zf7ehXkQMAoYdyo_G3X3UsA4E9O21oZcb01u6YuwUaOON7zUgo1JWIVLrv83p_Pzy_T2PhwPn8fp9PpxeBym83B6kr8J_gIAAP__kjFIFA&data=05%7C02%7Cjeanene.traficante%40albint.com%7C1fdf299aa52a4a651cc208dd4745f85b%7Cff3d33ae31364152812675e51f4a1404%7C0%7C0%7C638745088046675413%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=fGCIRyUUbeFPm7FcRl%2FZ7oH%2FXi3jt5H1pOFROm4%2BJoY%3D&reserved=0%22,%20%222f9fb485af706049f5d23654ae36fb8f%22%5D	Get hash	malicious	Unknown	Browse	216.239.34.159
	rclone.exe	Get hash	malicious	Unknown	Browse	216.239.34.159
	https://primebeefjerusalem.com/docusigndocuments/docusigned/index.html?userid=natasha.joukhdar@hfw.com	Get hash	malicious	Unknown	Browse	216.239.34.159
	Bontrageroutdoors-Payout.pdf	Get hash	malicious	Unknown	Browse	216.239.34.159
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse	216.239.34.159
	https://graphics.custombrandedboxesbyfedex.com	Get hash	malicious	Unknown	Browse	216.239.34.159
	newfile (1).exe	Get hash	malicious	PureLog Stealer	Browse	216.239.34.159
	build.exe	Get hash	malicious	PureLog Stealer	Browse	216.239.34.159
play.google.com	https://drive.google.com/file/d/1D5-KYFqfC0fkqDI5TZQZfexXtk53o0CJ/view?usp=sharing_eip&ts=67b4fad7	Get hash	malicious	ScreenConnect Tool	Browse	216.58.206.78
	https://www.asbestos-testing-uk.com/my-account-2	Get hash	malicious	Unknown	Browse	172.217.18.14
	http://orcaslicer.net	Get hash	malicious	Unknown	Browse	142.250.185.238
	https://straight-jewelry-closest-broader.trycloudflare.com/cloudfla	Get hash	malicious	Unknown	Browse	216.58.206.46
	https://pdfsnippingtool.en.download.it/#:~:text=PDF%20Snipping%20Tool%20is%20a,or%20the%20entire%20page%20itself.	Get hash	malicious	Unknown	Browse	216.58.206.78
	https://www.imanageshare.com/p/kpg7UplLEWgPiXta3D-_u79ErH23h-0652swsPirou7BmzQOe3XKstwId7AxuwOU2U6DP29ZXAd0aPnMTaBYHVqtFoCXGzvRDXTAKKm_MlG2knY8Tx6lZMssZTqtprtOYn2xwrabcvFewyhixglBSD-6RCUpWhPkw7_uAnO84QIVU2CTy6q103I5jWBpKvKyVsIDBW9DgehyaEETg1KQ2Q	Get hash	malicious	HTMLPhisher	Browse	172.217.18.110
	https://mydrive.connect.aig/:f:/g/personal/jacek_zawlodzki_aig_com/EqxanQ_0H1JOsGY1BKwyyDgBnwHP3X2lkYEQS6VecEan9Q	Get hash	malicious	Unknown	Browse	142.250.185.110
	10_feb	Get hash	malicious	Unknown	Browse	142.250.185.110
	https://pioneerselectricals.ae/af	Get hash	malicious	Unknown	Browse	142.250.184.206
	https://hs-7396679.s.hubspotemail.net/hs/preferences-center/fr/page?data=W2nXS-N30h-FSW3z2Xb01N5Z5cW4fFhVH21sZ6TW255sGy41tBsYW3HcYG247vzsgW1Z47HF2Tgj-kW32gz-l2CtkNpW3LYWsY3QBRcTW4tG7X02xyspNW43DKv_2PFk1fW2WF-4r2w0h-yW49w9hg4ttzQ_W2HCpVw4ctRpPW43Sjb52HRv0CW3hXdPZ1VyBgtW2zHPTv49NmP6W2-9WZv2FG4k6W2359bN2RDH30W41rTvS2HQBxKW2Pn7cC1QksyKW3Z-Byf3ZFjvJW1X7H033QMstBW3H37s43gpDcMW1Bw3G124VmYkW4rw2ZT4fnXxnW2xX1CV1S9M8xW4cvDwg1_l7sdW3dyKVz2KBL5rW3ZK0Rf45V9BlW1Z8hKF1BFTl4W3VYxvq23qKH8W4mLzhm1BH5NyW4rxfYK41v0nTW3JJkf72zQpzyW3VGYj83K2-G7W1Npn714hJmTQW3z2-wK3QBkJcW2xYl5d3SZ_4KW2RKh1l2TylJ8W2p1FC01BtR6TW2RLsZz3jtG66W309kBf45wbf-W3zgcfz1LgZtvW1BccC01SsLS8W1_f4lk2w0dyjW3M7JMr4p8sXkW2WP1sL3Z-Dc10&utm_source=hs_automation&utm_medium=email&utm_content=117964848&_hsenc=p2ANqtz-9nHlzvhRJEFc_67dG81i7d_LBoKbrWJZVA0xKMKwKlfiU6z88-189miZyWac2MoGPmQGia1iM1Ee5i2BLwyVVXuMdUZOWB9UhETv9F1p0BkcZltnM&_hsmi=117964848	Get hash	malicious	Unknown	Browse	142.250.184.238
plus.l.google.com	https://drive.google.com/file/d/1D5-KYFqfC0fkqDI5TZQZfexXtk53o0CJ/view?usp=sharing_eip&ts=67b4fad7	Get hash	malicious	ScreenConnect Tool	Browse	172.217.18.14
	https://www.asbestos-testing-uk.com/my-account-2	Get hash	malicious	Unknown	Browse	172.217.18.14
	https://straight-jewelry-closest-broader.trycloudflare.com/cloudfla	Get hash	malicious	Unknown	Browse	142.250.185.174
	https://pdfsnippingtool.en.download.it/#:~:text=PDF%20Snipping%20Tool%20is%20a,or%20the%20entire%20page%20itself.	Get hash	malicious	Unknown	Browse	142.250.181.238
	https://www.imanageshare.com/p/kpg7UplLEWgPiXta3D-_u79ErH23h-0652swsPirou7BmzQOe3XKstwId7AxuwOU2U6DP29ZXAd0aPnMTaBYHVqtFoCXGzvRDXTAKKm_MlG2knY8Tx6lZMssZTqtprtOYn2xwrabcvFewyhixglBSD-6RCUpWhPkw7_uAnO84QIVU2CTy6q103I5jWBpKvKyVsIDBW9DgehyaEETg1KQ2Q	Get hash	malicious	HTMLPhisher	Browse	142.250.185.238
	https://mydrive.connect.aig/:f:/g/personal/jacek_zawlodzki_aig_com/EqxanQ_0H1JOsGY1BKwyyDgBnwHP3X2lkYEQS6VecEan9Q	Get hash	malicious	Unknown	Browse	142.250.185.238
	10_feb	Get hash	malicious	Unknown	Browse	142.250.185.110
	https://pioneerselectricals.ae/af	Get hash	malicious	Unknown	Browse	142.250.185.142
	https://hs-7396679.s.hubspotemail.net/hs/preferences-center/fr/page?data=W2nXS-N30h-FSW3z2Xb01N5Z5cW4fFhVH21sZ6TW255sGy41tBsYW3HcYG247vzsgW1Z47HF2Tgj-kW32gz-l2CtkNpW3LYWsY3QBRcTW4tG7X02xyspNW43DKv_2PFk1fW2WF-4r2w0h-yW49w9hg4ttzQ_W2HCpVw4ctRpPW43Sjb52HRv0CW3hXdPZ1VyBgtW2zHPTv49NmP6W2-9WZv2FG4k6W2359bN2RDH30W41rTvS2HQBxKW2Pn7cC1QksyKW3Z-Byf3ZFjvJW1X7H033QMstBW3H37s43gpDcMW1Bw3G124VmYkW4rw2ZT4fnXxnW2xX1CV1S9M8xW4cvDwg1_l7sdW3dyKVz2KBL5rW3ZK0Rf45V9BlW1Z8hKF1BFTl4W3VYxvq23qKH8W4mLzhm1BH5NyW4rxfYK41v0nTW3JJkf72zQpzyW3VGYj83K2-G7W1Npn714hJmTQW3z2-wK3QBkJcW2xYl5d3SZ_4KW2RKh1l2TylJ8W2p1FC01BtR6TW2RLsZz3jtG66W309kBf45wbf-W3zgcfz1LgZtvW1BccC01SsLS8W1_f4lk2w0dyjW3M7JMr4p8sXkW2WP1sL3Z-Dc10&utm_source=hs_automation&utm_medium=email&utm_content=117964848&_hsenc=p2ANqtz-9nHlzvhRJEFc_67dG81i7d_LBoKbrWJZVA0xKMKwKlfiU6z88-189miZyWac2MoGPmQGia1iM1Ee5i2BLwyVVXuMdUZOWB9UhETv9F1p0BkcZltnM&_hsmi=117964848	Get hash	malicious	Unknown	Browse	142.250.184.206
	https://notifications.google.com/g/p/ANiao5rdjmKDR8JzehcAm6SkEomHyUC9FcOJcLaNAljVsTh_7y7GPHabSUxjarmclBuNUOroPWAEevR_J8SHFG4A0r7ZjB9DO_wG3FKCGK3dnoeR_KDPpklJRFBsEWgvb_vtwzfPefraHWyONYTBlbPANZelBDXqtgdr73yy_Xuk5rUXAgTZ8QJkulDNKBkK64JgvThc7IxOJ7UIaTA	Get hash	malicious	Unknown	Browse	142.250.185.238
docu-flex.com	https://docu-flex.com/DocuFlex.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
youtube-ui.l.google.com	http://www.jumbos.com.au	Get hash	malicious	HTMLPhisher	Browse	142.250.185.142
	http://orcaslicer.net	Get hash	malicious	Unknown	Browse	142.250.185.110
	10_feb	Get hash	malicious	Unknown	Browse	142.250.185.206
	https://brandpad.io/lamb-building/	Get hash	malicious	Unknown	Browse	172.217.18.14
	https://hs-7396679.s.hubspotemail.net/hs/preferences-center/fr/page?data=W2nXS-N30h-FSW3z2Xb01N5Z5cW4fFhVH21sZ6TW255sGy41tBsYW3HcYG247vzsgW1Z47HF2Tgj-kW32gz-l2CtkNpW3LYWsY3QBRcTW4tG7X02xyspNW43DKv_2PFk1fW2WF-4r2w0h-yW49w9hg4ttzQ_W2HCpVw4ctRpPW43Sjb52HRv0CW3hXdPZ1VyBgtW2zHPTv49NmP6W2-9WZv2FG4k6W2359bN2RDH30W41rTvS2HQBxKW2Pn7cC1QksyKW3Z-Byf3ZFjvJW1X7H033QMstBW3H37s43gpDcMW1Bw3G124VmYkW4rw2ZT4fnXxnW2xX1CV1S9M8xW4cvDwg1_l7sdW3dyKVz2KBL5rW3ZK0Rf45V9BlW1Z8hKF1BFTl4W3VYxvq23qKH8W4mLzhm1BH5NyW4rxfYK41v0nTW3JJkf72zQpzyW3VGYj83K2-G7W1Npn714hJmTQW3z2-wK3QBkJcW2xYl5d3SZ_4KW2RKh1l2TylJ8W2p1FC01BtR6TW2RLsZz3jtG66W309kBf45wbf-W3zgcfz1LgZtvW1BccC01SsLS8W1_f4lk2w0dyjW3M7JMr4p8sXkW2WP1sL3Z-Dc10&utm_source=hs_automation&utm_medium=email&utm_content=117964848&_hsenc=p2ANqtz-9nHlzvhRJEFc_67dG81i7d_LBoKbrWJZVA0xKMKwKlfiU6z88-189miZyWac2MoGPmQGia1iM1Ee5i2BLwyVVXuMdUZOWB9UhETv9F1p0BkcZltnM&_hsmi=117964848	Get hash	malicious	Unknown	Browse	142.250.74.206
	lX1M7MPt7Y.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	142.250.184.206
	https://shorten.is/AdsPayments101	Get hash	malicious	HTMLPhisher	Browse	142.250.185.174
	http://itcmi.org	Get hash	malicious	Unknown	Browse	142.250.186.78
	lass.dll	Get hash	malicious	Unknown	Browse	142.250.185.206
	https://starkiss.hu/	Get hash	malicious	Unknown	Browse	142.250.186.78

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://www.pagina.pro/help-facebook-support-business-authentication-accountscenter-checkpoint-next/	Get hash	malicious	Unknown	Browse	172.64.153.235
	http://krakenen-login.gitbook.io/	Get hash	malicious	Unknown	Browse	104.18.41.89
	https://sltreanmcommnunlty.com/nurka/kisloy/efotr	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://boullilounniya-8678.vercel.app/mpn.kidgl/	Get hash	malicious	HTMLPhisher	Browse	104.26.4.15
	https://securitydigitalimpact.vercel.app/3ae&25&93cf6=5a&1eGK9d0xe13da4b=D400e	Get hash	malicious	HTMLPhisher	Browse	172.67.75.166
	https://unlawfulcontentdigitalhype.vercel.app/submit&	Get hash	malicious	HTMLPhisher	Browse	104.26.4.15
	Swift Copy_18.02.2025.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.32.1
	http://www.zyry.sk/wp-admin/maint/connexion/espace-client/password	Get hash	malicious	Unknown	Browse	104.17.24.14
	https://cdn.trytraffics.com/rdr/YWE9Mzc4MjA0NTU0JnNlaT0zMDQ1MjM1NCZ0az13alE4Mkd0TzB3NWZSR1VsSnB1TSZ0PTUmYz05MGFzODc2ZmQ4OWFzNWZnOGEwOXM=	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://cdn.trytraffics.com/rdr/YWE9Mzc4MjA0NTU0JnNlaT0zMDQ1MjM1NCZ0az13alE4Mkd0TzB3NWZSR1VsSnB1TSZ0PTUmYz05MGFzODc2ZmQ4OWFzNWZnOGEwOXM	Get hash	malicious	Unknown	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	http://www.pagina.pro/help-facebook-support-business-authentication-accountscenter-checkpoint-next/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://sltreanmcommnunlty.com/nurka/kisloy/efotr	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://unlawfulcontentdigitalhype.vercel.app/submit&	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	Swift Copy_18.02.2025.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Shipment details.exe	Get hash	malicious	AgentTesla	Browse	188.114.96.3
	https://userreportbrandagency.vercel.app/3ae&25&93cf6=5a&1eGK9d0xe13da4b=D400e	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	s57VlxH5.bat	Get hash	malicious	Quasar	Browse	188.114.96.3
	https://case-id-100987778565.mfbsp1324.click/?support-id-10096026	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://rm3f2.crackconnect.com/rd/4uCWvq4534JbWg123degwqwnvdk261CUGJJCTKGFOEVOQ20452YSLZ15860l14&d=DwMDAg	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://matiamask-wallate.gitbook.io/	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\PDFInstaller\node.exe	https://docu-flex.com/DocuFlex.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\PDFInstaller\node.exe	node-v20.12.2-x64.msi	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\PDFInstaller\node_modules\bin.is-docker	https://docu-flex.com/DocuFlex.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\PDFInstaller\clipboard.exe	crazydown.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\PDFInstaller\clipboard.exe	crazydown.exe	Get hash	malicious	Unknown	Browse

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.5323010743850383
Encrypted:	false
SSDEEP:	6144:nuFRWyv+egu0PKbolURI90aHsWF9r/jAYLfLfNPQTgHt/89Kqv07c8JwhvMNV+3Z:nHJj1NRc5
MD5:	5629CB096F66B86C99F5144D5887E000
SHA1:	9071461BE08E73C433901A413318B7F31F7C490A
SHA-256:	BBDF7ECD7E875E6821E7437821CFFF0679674DA19F5727BE282BEB384DC25A33
SHA-512:	21BD9986E095AA4343911613BF96BB3DB9E8983F2904290993D2C4297169FB41525168F8698E4A4B4E41315375E7DD6889C27B64925518A7384EE60CD56B422F
Malicious:	false
Preview:	...@..@...@.....C.].....@............... 1...0..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.5938.132-64".en-US...Windows NT..10.0.190452(..x86_64..?........".mjspxc20,1...x86_64J..y..>.Z.{7J.....0...J?J..l.UE...}.J..z.A}...}.J.......Z.{7J...r.....5.J...,......J..w....Z.{7J.....Z.{7J.......Z.{7J..m#:^.d.;`J....Y..Z.{7J..Wfk..J..J........{..J..$.A(.Z.{7J..........eJ..Ox8..Z.{7J.........kJ..`..8....kJ..U..:..*nHJ.....c.=}.J..F.....:D:J.......r.dEJ...BD.c(..J..d....3.uJ..w........J.....u....kJ...?.q.u..JJ...........J.......u..JJ....GQ....J..4..e.c..J...T..lc.KP....20231002-080120.576000...+...............:..,..(.......EarlyProcessSingleton.......Default3.\..X...+...SupportPartitionedBlobUrlKillSwitchDisabled.!...Enabled_SupportPartitionedBlobUrl....<..

Process:	C:\Users\user\Desktop\DocuFlex.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	443903
Entropy (8bit):	6.1312597029392
Encrypted:	false
SSDEEP:	12288:v1wrVHYSaXfEaezdiF3d/Al3EqyW24ZYQZ:v1wx4hX44RAEqRrZYQZ
MD5:	BDF7D4CCD2CE8CC7AB6AE80914496799
SHA1:	B6CA8F7A5191BA431FE118A37863A32EDFBA9578
SHA-256:	FDAF49D7802993EE6C95E32FC488A4C78A0E69BE3D1060749208E84428AB1A79
SHA-512:	2EA6C05EEBECA5FF1561F32287DE090A6F8F9DD8FE8EAB5D320A310D646F76CB6A1885240069D2B1202F194E1F324682AA91EB2B24FC896AC3C14EB99309EB60
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: crazydown.exe, Detection: malicious, Browse Filename: crazydown.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...4..Z. ..S.....'..........Z....................@........................................... .....................................................................................................................t................................text..............................`.P`.data...............................@.0..rdata...B.......D..................@.P@/4.......c.......d..................@.0..bss..................................`..idata...............J..............@.0..CRT....@............Z..............@.0..tls.... ............\..............@.0./14.....X............^..............@..B/29..................`..............@..B/41..................x..............@..B/55.....5...........................@..B/67.......... ......................@..B/78......q...0...r..................@..B/89.................................@..B........................

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DocuFlex.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\PDFInstaller\chrome-profile\BrowserMetrics\BrowserMetrics-67B51980-F50.pma

C:\Users\user\AppData\Local\PDFInstaller\chrome-profile\Crashpad\settings.dat

C:\Users\user\AppData\Local\PDFInstaller\chrome-profile\Default\080175bf-37fc-4c9c-8b04-4cf5c7974ba3.tmp

C:\Users\user\AppData\Local\PDFInstaller\chrome-profile\Default\28ccde4e-50a9-4902-ac8c-b5f2ee96f559.tmp

C:\Users\user\AppData\Local\PDFInstaller\chrome-profile\Default\57db242e-d831-4efb-b387-63351c82ac18.tmp

C:\Users\user\AppData\Local\PDFInstaller\chrome-profile\Default\76c7d2b2-0f8e-4421-81c5-8e7fa8b6b8eb.tmp

C:\Users\user\AppData\Local\PDFInstaller\chrome-profile\Default\Affiliation Database

C:\Users\user\AppData\Local\PDFInstaller\chrome-profile\Default\Cache\Cache_Data\data_0

C:\Users\user\AppData\Local\PDFInstaller\chrome-profile\Default\Cache\Cache_Data\data_1

C:\Users\user\AppData\Local\PDFInstaller\chrome-profile\Default\Cache\Cache_Data\data_2

C:\Users\user\AppData\Local\PDFInstaller\chrome-profile\Default\Cache\Cache_Data\data_3

C:\Users\user\AppData\Local\PDFInstaller\chrome-profile\Default\Cache\Cache_Data\f_000001

C:\Users\user\AppData\Local\PDFInstaller\chrome-profile\Default\Cache\Cache_Data\f_000002

C:\Users\user\AppData\Local\PDFInstaller\chrome-profile\Default\Cache\Cache_Data\f_000003

C:\Users\user\AppData\Local\PDFInstaller\chrome-profile\Default\Cache\Cache_Data\f_000004

C:\Users\user\AppData\Local\PDFInstaller\chrome-profile\Default\Cache\Cache_Data\f_000005

C:\Users\user\AppData\Local\PDFInstaller\chrome-profile\Default\Cache\Cache_Data\index

C:\Users\user\AppData\Local\PDFInstaller\chrome-profile\Default\Code Cache\js\1ff89b0b120c0a63_0

Windows Analysis Report
DocuFlex.exe