Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
09.msi

Overview

General Information

Sample name:09.msi
Analysis ID:1629575
MD5:5d79e3c7e41afb4471a61f10da60f18b
SHA1:b5c7f15349244598cae27917ad8d517efa3a1e5e
SHA256:63c01bef2f00e6817676103516553d90c759fa54c62bfe3a9d81b8b3dc4ed95d
Tags:msiuser-1ZRR4H
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
Connects to many ports of the same IP (likely port scanning)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found strings related to Crypto-Mining
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
PE file has a writeable .text section
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 7604 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\09.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 7660 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • SplashWin.exe (PID: 7744 cmdline: "C:\Users\user\AppData\Local\Ovum\SplashWin.exe" MD5: 4D20B83562EEC3660E45027AD56FB444)
      • SplashWin.exe (PID: 7776 cmdline: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exe MD5: 4D20B83562EEC3660E45027AD56FB444)
        • cmd.exe (PID: 7796 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • IV_Ultra.exe (PID: 5472 cmdline: C:\Users\user\AppData\Local\Temp\IV_Ultra.exe MD5: 967F4470627F823F4D7981E511C9824F)
            • msedge.exe (PID: 3168 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)
              • msedge.exe (PID: 7976 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=2076,i,5311184627292398515,17036706081950836006,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)
            • msiexec.exe (PID: 6292 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\CYItxzPUhQoJnHTfGuXZ6ErE9Q.msi" MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7176 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 305021050A5BAA6F4A95D8CB61DF4189 C MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • ISBEW64.exe (PID: 6032 cmdline: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F7184887-32E3-4F40-B3F2-25CD4A76721C} MD5: 40F3A092744E46F3531A40B917CCA81E)
      • ISBEW64.exe (PID: 1984 cmdline: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{66B4FEC0-0321-4CB0-94B1-8EE4FC51EFA0} MD5: 40F3A092744E46F3531A40B917CCA81E)
      • ISBEW64.exe (PID: 3444 cmdline: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8C73472D-1ECD-46CF-AD44-25EC24484AF3} MD5: 40F3A092744E46F3531A40B917CCA81E)
      • ISBEW64.exe (PID: 8048 cmdline: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5EEFA854-CCEA-47C9-BA19-347EEE2C708D} MD5: 40F3A092744E46F3531A40B917CCA81E)
      • ISBEW64.exe (PID: 8024 cmdline: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8F988247-B80D-4DE7-B032-2409568AD7DD} MD5: 40F3A092744E46F3531A40B917CCA81E)
      • ISBEW64.exe (PID: 7052 cmdline: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{12D4734F-ABA1-408C-AF28-6CDF344943E5} MD5: 40F3A092744E46F3531A40B917CCA81E)
      • ISBEW64.exe (PID: 6816 cmdline: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{461BE618-A6B3-4FAA-995B-143060AFC7A8} MD5: 40F3A092744E46F3531A40B917CCA81E)
      • ISBEW64.exe (PID: 6632 cmdline: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9679A2AA-0126-4D80-9B30-DFE27B8101B0} MD5: 40F3A092744E46F3531A40B917CCA81E)
      • ISBEW64.exe (PID: 5768 cmdline: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4F0880A5-CA83-4E20-90F4-C7F35DC81440} MD5: 40F3A092744E46F3531A40B917CCA81E)
      • ISBEW64.exe (PID: 6612 cmdline: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{627E1EB8-A17D-44C4-8B93-E801E2B953EA} MD5: 40F3A092744E46F3531A40B917CCA81E)
      • SplashWin.exe (PID: 6008 cmdline: C:\Users\user\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\SplashWin.exe MD5: 4D20B83562EEC3660E45027AD56FB444)
        • cmd.exe (PID: 6872 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 2208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • SplashWin.exe (PID: 4080 cmdline: "C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exe" MD5: 4D20B83562EEC3660E45027AD56FB444)
    • cmd.exe (PID: 5928 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • IV_Ultra.exe (PID: 3300 cmdline: C:\Users\user\AppData\Local\Temp\IV_Ultra.exe MD5: 967F4470627F823F4D7981E511C9824F)
  • msedge.exe (PID: 7968 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)
    • msedge.exe (PID: 1272 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2760 --field-trial-handle=2168,i,16747635326085741895,13319245746600739658,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)
    • msedge.exe (PID: 6220 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6400 --field-trial-handle=2168,i,16747635326085741895,13319245746600739658,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)
    • msedge.exe (PID: 6176 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6572 --field-trial-handle=2168,i,16747635326085741895,13319245746600739658,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)
    • identity_helper.exe (PID: 8184 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7096 --field-trial-handle=2168,i,16747635326085741895,13319245746600739658,262144 /prefetch:8 MD5: 76C58E5BABFE4ACF0308AA646FC0F416)
    • identity_helper.exe (PID: 8008 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7096 --field-trial-handle=2168,i,16747635326085741895,13319245746600739658,262144 /prefetch:8 MD5: 76C58E5BABFE4ACF0308AA646FC0F416)
  • msedge.exe (PID: 6796 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\pnhcfuktryJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    C:\Users\user\AppData\Local\Temp\pnhcfuktryJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      C:\Users\user\AppData\Local\Temp\pnhcfuktryMALWARE_Win_Arechclient2Detects Arechclient2 RATditekSHen
      • 0xbe9c7:$s14: keybd_event
      • 0xc5bb3:$v1_1: grabber@
      • 0xbf51f:$v1_2: <BrowserProfile>k__
      • 0xbff9e:$v1_3: <SystemHardwares>k__
      • 0xc005d:$v1_5: <ScannedWallets>k__
      • 0xc00ed:$v1_6: <DicrFiles>k__
      • 0xc00c9:$v1_7: <MessageClientFiles>k__
      • 0xc0493:$v1_8: <ScanBrowsers>k__BackingField
      • 0xc04e5:$v1_8: <ScanWallets>k__BackingField
      • 0xc0502:$v1_8: <ScanScreen>k__BackingField
      • 0xc053c:$v1_8: <ScanVPN>k__BackingField
      • 0xb17ea:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost
      • 0xb10f6:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000002A.00000002.2684247867.0000000005960000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000002A.00000002.2684247867.0000000005960000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          42.2.cmd.exe.59600c8.8.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            42.2.cmd.exe.59600c8.8.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              42.2.cmd.exe.59600c8.8.unpackMALWARE_Win_Arechclient2Detects Arechclient2 RATditekSHen
              • 0xbcbc7:$s14: keybd_event
              • 0xc3db3:$v1_1: grabber@
              • 0xbd71f:$v1_2: <BrowserProfile>k__
              • 0xbe19e:$v1_3: <SystemHardwares>k__
              • 0xbe25d:$v1_5: <ScannedWallets>k__
              • 0xbe2ed:$v1_6: <DicrFiles>k__
              • 0xbe2c9:$v1_7: <MessageClientFiles>k__
              • 0xbe693:$v1_8: <ScanBrowsers>k__BackingField
              • 0xbe6e5:$v1_8: <ScanWallets>k__BackingField
              • 0xbe702:$v1_8: <ScanScreen>k__BackingField
              • 0xbe73c:$v1_8: <ScanVPN>k__BackingField
              • 0xaf9ea:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost
              • 0xaf2f6:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
              42.2.cmd.exe.59600c8.8.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                42.2.cmd.exe.59600c8.8.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  Click to see the 1 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-04T21:50:59.754385+010020283713Unknown Traffic192.168.2.449738172.67.137.87443TCP
                  2025-03-04T21:51:01.021773+010020283713Unknown Traffic192.168.2.449739172.67.137.87443TCP
                  2025-03-04T21:51:02.078073+010020283713Unknown Traffic192.168.2.449740172.67.137.87443TCP
                  2025-03-04T21:51:02.084608+010020283713Unknown Traffic192.168.2.449741104.21.58.202443TCP
                  2025-03-04T21:51:38.332025+010020283713Unknown Traffic192.168.2.450023172.67.137.87443TCP
                  2025-03-04T21:51:39.875749+010020283713Unknown Traffic192.168.2.450030172.67.137.87443TCP
                  2025-03-04T21:51:40.670575+010020283713Unknown Traffic192.168.2.450039172.67.137.87443TCP
                  2025-03-04T21:51:41.577328+010020283713Unknown Traffic192.168.2.450046172.67.137.87443TCP
                  2025-03-04T21:51:42.673692+010020283713Unknown Traffic192.168.2.450052172.67.137.87443TCP
                  2025-03-04T21:51:44.235725+010020283713Unknown Traffic192.168.2.450063172.67.137.87443TCP
                  2025-03-04T21:51:45.427391+010020283713Unknown Traffic192.168.2.450069172.67.137.87443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-04T21:51:50.810551+010020522481A Network Trojan was detected192.168.2.45010392.255.85.239000TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: https://piaktrip.online/c4EdAvira URL Cloud: Label: malware
                  Source: https://piaktrip.online/Albany-Texas.html?khoyg1efvd=9eVg8xh2FdMx6aJnqa1n0a3Vyj0pHE9BafML582Q6TZmj6JAvira URL Cloud: Label: malware
                  Source: https://undermymindops.com/SLAGGGLX.msiChrome/119.0.0.0Avira URL Cloud: Label: malware
                  Source: https://undermymindops.com/SLAGGGLX.msicAvira URL Cloud: Label: malware
                  Source: https://piaktrip.online:443/Albany-Texas.html?khoyg1efvd=9eVg8xh2FdMx6aJnqa1n0a3Vyj0pHE9BafML582Q6TZAvira URL Cloud: Label: malware
                  Source: https://piaktrip.online/Albany-Texas.html?khoyg1efvd=9eVg8xh2FdMx6aJnqa1n0a3Vyj0pHE9BafML582Q6TZmj6Jcv67PaMMGq16tocrZ6Ct2mAWXx8nK%2FVCfeCbPeQ%3D%3DAvira URL Cloud: Label: malware
                  Source: https://undermymindops.com//5Avira URL Cloud: Label: malware
                  Source: https://piaktrip.online:443Avira URL Cloud: Label: malware
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                  Bitcoin Miner

                  barindex
                  Found strings related to Crypto-Mining
                  Source: IV_Ultra.exe, 0000000C.00000003.2419378543.0000000008221000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: jsecoin.com/
                  Source: IV_Ultra.exe, 0000000C.00000003.2419378543.0000000008221000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: coinhive.com/
                  Source: unknownHTTPS traffic detected: 172.67.137.87:443 -> 192.168.2.4:49738 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.137.87:443 -> 192.168.2.4:49739 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.137.87:443 -> 192.168.2.4:49740 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.58.202:443 -> 192.168.2.4:49741 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.137.87:443 -> 192.168.2.4:50023 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.137.87:443 -> 192.168.2.4:50030 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.137.87:443 -> 192.168.2.4:50039 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.137.87:443 -> 192.168.2.4:50046 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.137.87:443 -> 192.168.2.4:50052 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.137.87:443 -> 192.168.2.4:50063 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.137.87:443 -> 192.168.2.4:50069 version: TLS 1.2
                  Source: Binary string: C:\CodeBases\isdev\Redist\Language Independent\i386\ISSetup.pdb source: IV_Ultra.exe, 0000000C.00000003.2279133019.0000000008791000.00000004.00000001.00020000.00000000.sdmp
                  Source: Binary string: E:\workdir\vc\rbin\RCClient\SplashWin.pdb,, source: SplashWin.exe, 00000002.00000002.1782818550.0000000000263000.00000002.00000001.01000000.00000003.sdmp, SplashWin.exe, 00000002.00000000.1770383634.0000000000263000.00000002.00000001.01000000.00000003.sdmp, SplashWin.exe, 00000003.00000002.1846312938.00000000003C3000.00000002.00000001.01000000.00000008.sdmp, SplashWin.exe, 00000003.00000000.1781085374.00000000003C3000.00000002.00000001.01000000.00000008.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2135285776.00000000003C3000.00000002.00000001.01000000.00000008.sdmp, SplashWin.exe, 0000000D.00000000.2067958543.00000000003C3000.00000002.00000001.01000000.00000008.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\profiles.ini source: IV_Ultra.exe, 0000000C.00000003.2638574146.0000000002E0E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2660843506.0000000002E0F000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2637282358.0000000002E0E000.00000004.00000001.00020000.00000000.sdmp
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: IV_Ultra.exe, 0000000C.00000003.2261053014.0000000002E96000.00000004.00000001.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: IV_Ultra.exe, 0000000C.00000003.2337415129.0000000002E38000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2268975199.0000000002E35000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2269600707.0000000002E36000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2343088328.0000000002E37000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266951516.0000000002E35000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2325322898.0000000002E38000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2270101370.0000000002E38000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2335509638.0000000002E35000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2267625171.0000000002E38000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2330277760.0000000002E38000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266219496.0000000002E37000.00000004.00000001.00020000.00000000.sdmp
                  Source: Binary string: E:\workdir\ProgramDatabase\DuiLib_u.pdbww3 source: SplashWin.exe, 00000002.00000002.1793492344.000000006CEB5000.00000002.00000001.01000000.00000004.sdmp, SplashWin.exe, 00000003.00000002.1857137337.000000006C9C5000.00000002.00000001.01000000.00000009.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2141554694.000000006F8A5000.00000002.00000001.01000000.00000009.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2) source: IV_Ultra.exe, 0000000C.00000003.2268975199.0000000002E35000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2269600707.0000000002E36000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266951516.0000000002E35000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2270101370.0000000002E38000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2267625171.0000000002E38000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266219496.0000000002E37000.00000004.00000001.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Local State source: IV_Ultra.exe, 0000000C.00000003.2267625171.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2268975199.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266951516.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2269600707.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2270101370.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266219496.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp
                  Source: Binary string: ntdll.pdb source: IV_Ultra.exe, 0000000C.00000002.2674808381.00000000064E8000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2663356752.00000000040EA000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2664344390.00000000042E2000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2672848996.00000000058E8000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2674584620.00000000062EA000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2662229473.0000000003CEB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2671296738.00000000050E5000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2673740155.0000000005CEF000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2670283623.0000000004CEF000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2671572313.00000000052EE000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2667614739.00000000044E4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2662535667.0000000003EE1000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2670820488.0000000004EE7000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2668217363.00000000046EB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659775386.0000000002263000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2660448962.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2674291069.00000000060EE000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2673991581.0000000005EE2000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2672500460.00000000056E8000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2672172154.00000000054EF000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2669004692.00000000048E6000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2669646512.0000000004AED000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2673112148.0000000005AE7000.00000004.00000001.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\Local Statez source: IV_Ultra.exe, 0000000C.00000003.2267625171.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2268975199.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266951516.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2269600707.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2270101370.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266219496.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdbUGP source: SplashWin.exe, 00000002.00000002.1792873424.000000000A287000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.1793040821.000000000A5E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1855076240.000000000A970000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854848554.000000000A61A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1855374245.000000000AD20000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101036061.0000000004BDD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101485878.00000000054B0000.00000004.00001000.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139873668.000000000A327000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2140019481.000000000A680000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2140200213.000000000AA3A000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365243923.0000000004858000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ntdll.pdbUGP source: IV_Ultra.exe, 0000000C.00000002.2674808381.00000000064E8000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2663356752.00000000040EA000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2664344390.00000000042E2000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2672848996.00000000058E8000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2674584620.00000000062EA000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2662229473.0000000003CEB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2671296738.00000000050E5000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2673740155.0000000005CEF000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2670283623.0000000004CEF000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2671572313.00000000052EE000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2667614739.00000000044E4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2662535667.0000000003EE1000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2670820488.0000000004EE7000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2668217363.00000000046EB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659775386.0000000002263000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2660448962.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2674291069.00000000060EE000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2673991581.0000000005EE2000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2672500460.00000000056E8000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2672172154.00000000054EF000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2669004692.00000000048E6000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2669646512.0000000004AED000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2673112148.0000000005AE7000.00000004.00000001.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: SplashWin.exe, 00000002.00000002.1792873424.000000000A287000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.1793040821.000000000A5E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1855076240.000000000A970000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854848554.000000000A61A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1855374245.000000000AD20000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101036061.0000000004BDD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101485878.00000000054B0000.00000004.00001000.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139873668.000000000A327000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2140019481.000000000A680000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2140200213.000000000AA3A000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365243923.0000000004858000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: E:\workdir\ProgramDatabase\DuiLib_u.pdb source: SplashWin.exe, 00000002.00000002.1793492344.000000006CEB5000.00000002.00000001.01000000.00000004.sdmp, SplashWin.exe, 00000003.00000002.1857137337.000000006C9C5000.00000002.00000001.01000000.00000009.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2141554694.000000006F8A5000.00000002.00000001.01000000.00000009.sdmp
                  Source: Binary string: E:\workdir\vc\rbin\RCClient\SplashWin.pdb source: SplashWin.exe, 00000002.00000002.1782818550.0000000000263000.00000002.00000001.01000000.00000003.sdmp, SplashWin.exe, 00000002.00000000.1770383634.0000000000263000.00000002.00000001.01000000.00000003.sdmp, SplashWin.exe, 00000003.00000002.1846312938.00000000003C3000.00000002.00000001.01000000.00000008.sdmp, SplashWin.exe, 00000003.00000000.1781085374.00000000003C3000.00000002.00000001.01000000.00000008.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2135285776.00000000003C3000.00000002.00000001.01000000.00000008.sdmp, SplashWin.exe, 0000000D.00000000.2067958543.00000000003C3000.00000002.00000001.01000000.00000008.sdmp
                  Source: Binary string: D:\agent\_work\20\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: SplashWin.exe, 00000002.00000002.1787276931.00000000008F7000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.1793621503.000000006E541000.00000020.00000001.01000000.00000005.sdmp, SplashWin.exe, 00000003.00000002.1856927388.000000006C931000.00000020.00000001.01000000.0000000A.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.0000000008791000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2256467982.0000000008ABA000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2141181014.000000006F811000.00000020.00000001.01000000.0000000A.sdmp
                  Source: Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb source: ISBEW64.exe, 00000022.00000002.2367079261.00007FF6953F7000.00000002.00000001.01000000.0000001B.sdmp
                  Source: Binary string: winload_prod.pdb source: IV_Ultra.exe, 0000000C.00000003.2575125476.0000000002E4F000.00000004.00000001.00020000.00000000.sdmp
                  Source: Binary string: D:\agent\_work\20\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: SplashWin.exe, SplashWin.exe, 00000003.00000002.1856708594.000000006C8B1000.00000020.00000001.01000000.0000000B.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2140961287.000000006CD61000.00000020.00000001.01000000.0000000B.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\Local State source: IV_Ultra.exe, 0000000C.00000003.2267625171.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2268975199.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266951516.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2269600707.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2270101370.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266219496.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: IV_Ultra.exe, 0000000C.00000003.2268975199.0000000002E35000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2269600707.0000000002E36000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266951516.0000000002E35000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2270101370.0000000002E38000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2267625171.0000000002E38000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266219496.0000000002E37000.00000004.00000001.00020000.00000000.sdmp
                  Source: C:\Windows\System32\msiexec.exeFile opened: z:
                  Source: C:\Windows\System32\msiexec.exeFile opened: x:
                  Source: C:\Windows\System32\msiexec.exeFile opened: v:
                  Source: C:\Windows\System32\msiexec.exeFile opened: t:
                  Source: C:\Windows\System32\msiexec.exeFile opened: r:
                  Source: C:\Windows\System32\msiexec.exeFile opened: p:
                  Source: C:\Windows\System32\msiexec.exeFile opened: n:
                  Source: C:\Windows\System32\msiexec.exeFile opened: l:
                  Source: C:\Windows\System32\msiexec.exeFile opened: j:
                  Source: C:\Windows\System32\msiexec.exeFile opened: h:
                  Source: C:\Windows\System32\msiexec.exeFile opened: f:
                  Source: C:\Windows\System32\msiexec.exeFile opened: b:
                  Source: C:\Windows\System32\msiexec.exeFile opened: y:
                  Source: C:\Windows\System32\msiexec.exeFile opened: w:
                  Source: C:\Windows\System32\msiexec.exeFile opened: u:
                  Source: C:\Windows\System32\msiexec.exeFile opened: s:
                  Source: C:\Windows\System32\msiexec.exeFile opened: q:
                  Source: C:\Windows\System32\msiexec.exeFile opened: o:
                  Source: C:\Windows\System32\msiexec.exeFile opened: m:
                  Source: C:\Windows\System32\msiexec.exeFile opened: k:
                  Source: C:\Windows\System32\msiexec.exeFile opened: i:
                  Source: C:\Windows\System32\msiexec.exeFile opened: g:
                  Source: C:\Windows\System32\msiexec.exeFile opened: e:
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeFile opened: c:
                  Source: C:\Windows\System32\msiexec.exeFile opened: a:
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeCode function: 2_2_6CDD20D0 _Open_dir,FindFirstFileExW,__Read_dir,FindClose,2_2_6CDD20D0
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8C20D0 _Open_dir,FindFirstFileExW,__Read_dir,FindClose,3_2_6C8C20D0

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50103 -> 92.255.85.23:9000
                  Connects to many ports of the same IP (likely port scanning)
                  Source: global trafficTCP traffic: 92.255.85.23 ports 9000,1,4,5,7,8,15847
                  Uses known network protocols on non-standard ports
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50103 -> 9000
                  Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 50103
                  Source: global trafficTCP traffic: 192.168.2.4:50089 -> 92.255.85.23:15847
                  Source: global trafficHTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 2.22.242.11 2.22.242.11
                  Source: Joe Sandbox ViewIP Address: 18.244.18.27 18.244.18.27
                  Source: Joe Sandbox ViewIP Address: 20.189.173.10 20.189.173.10
                  Source: Joe Sandbox ViewIP Address: 20.125.209.212 20.125.209.212
                  Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 172.67.137.87:443
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 172.67.137.87:443
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 104.21.58.202:443
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 172.67.137.87:443
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50023 -> 172.67.137.87:443
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50030 -> 172.67.137.87:443
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50039 -> 172.67.137.87:443
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50046 -> 172.67.137.87:443
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50052 -> 172.67.137.87:443
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50063 -> 172.67.137.87:443
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50069 -> 172.67.137.87:443
                  Source: global trafficHTTP traffic detected: POST /Albany-Texas.html?khoyg1efvd=9eVg8xh2FdMx6aJnqa1n0a3Vyj0pHE9BafML582Q6TZmj6Jcv67PaMMGq16tocrZ6Ct2mAWXx8nK%2FVCfeCbPeQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 147Host: piaktrip.online
                  Source: global trafficHTTP traffic detected: POST /Albany-Texas.html?khoyg1efvd=9eVg8xh2FdMx6aJnqa1n0a3Vyj0pHE9BafML582Q6TZmj6Jcv67PaMMGq16tocrZ6Ct2mAWXx8nK%2FVCfeCbPeQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36c: QL8bqCwaL4MdQTHZUIL+cSROkcotroeHY099XhKGNOau0k/eX+oqKPvx8ZujdcDWSo7KWo9Vp19DWYTXcNcgj0m0jJW10LsLIr9i3dGQIGsqdB8BuM6xlOLzContent-Length: 53Host: piaktrip.online
                  Source: global trafficHTTP traffic detected: POST /Albany-Texas.html?khoyg1efvd=9eVg8xh2FdMx6aJnqa1n0a3Vyj0pHE9BafML582Q6TZmj6Jcv67PaMMGq16tocrZ6Ct2mAWXx8nK%2FVCfeCbPeQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36c: QL8bqCwaL4MdQTHZUIL+cSROkcotroeHY099XhKGNOau0k/eX+oqKPvx8ZujdcDWSo7KWo9Vp19DWYTXcNcgj0m0jJW10LsLIr9i3dGQIGsqdB8BuM6xlOLzContent-Length: 208Host: piaktrip.online
                  Source: global trafficHTTP traffic detected: GET /SLAGGGLX.msi HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: undermymindops.com
                  Source: global trafficHTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531 HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                  Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/SSR-extension.b4dceb3fb90c199d68cd.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.35sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 200sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: */*sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=17255809B4C24F0495588900908FEA24.RefC=2025-03-04T20:51:11Z; USRLOC=; MUID=02516264065666BA1AF177C107DC6729; MUIDB=02516264065666BA1AF177C107DC6729; _EDGE_S=F=1&SID=1D14E4B834D36BF4104BF11D35376ACB; _EDGE_V=1
                  Source: global trafficHTTP traffic detected: OPTIONS /api/report?cat=bingbusiness HTTP/1.1Host: bzib.nelreports.netConnection: keep-aliveOrigin: https://business.bing.comAccess-Control-Request-Method: POSTAccess-Control-Request-Headers: content-typeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                  Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/web-worker.d3ac3ec818a0cdf01df5.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.35sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 200sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 3gAccept: */*sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: workerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=17255809B4C24F0495588900908FEA24.RefC=2025-03-04T20:51:11Z; USRLOC=; MUID=02516264065666BA1AF177C107DC6729; MUIDB=02516264065666BA1AF177C107DC6729; _EDGE_S=F=1&SID=1D14E4B834D36BF4104BF11D35376ACB; _EDGE_V=1
                  Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/vendors.5d0f28115e15fcff20c5.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                  Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/microsoft.4fa8815283fe3d88a934.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                  Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/common.ccf37a049089f68490a9.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                  Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/experience.3fa26ba080d24cc97170.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                  Source: global trafficHTTP traffic detected: GET /statics/icons/favicon_newtabpage.png HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=02516264065666BA1AF177C107DC6729; _EDGE_S=F=1&SID=1D14E4B834D36BF4104BF11D35376ACB; _EDGE_V=1
                  Source: global trafficHTTP traffic detected: GET /c.gif?rnd=1741121476309&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=17255809b4c24f0495588900908fea24&activityId=17255809b4c24f0495588900908fea24&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=02516264065666BA1AF177C107DC6729; _EDGE_S=F=1&SID=1D14E4B834D36BF4104BF11D35376ACB; _EDGE_V=1
                  Source: global trafficHTTP traffic detected: GET /b?rn=1741121476309&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=02516264065666BA1AF177C107DC6729&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                  Source: global trafficHTTP traffic detected: GET /b2?rn=1741121476309&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=02516264065666BA1AF177C107DC6729&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=1B746b2d242b982c5b4aac61741121477; XID=1B746b2d242b982c5b4aac61741121477
                  Source: global trafficHTTP traffic detected: POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1741121476307&time-delta-to-apply-millis=use-collector-delta&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1Host: browser.events.data.msn.comConnection: keep-aliveContent-Length: 3855sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: text/plain;charset=UTF-8Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=02516264065666BA1AF177C107DC6729; _EDGE_S=F=1&SID=1D14E4B834D36BF4104BF11D35376ACB; _EDGE_V=1
                  Source: global trafficHTTP traffic detected: GET /c.gif?rnd=1741121476309&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=17255809b4c24f0495588900908fea24&activityId=17255809b4c24f0495588900908fea24&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=3234A6CBF2364CC0B382933541EABC6B&MUID=02516264065666BA1AF177C107DC6729 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=02516264065666BA1AF177C107DC6729; _EDGE_S=F=1&SID=1D14E4B834D36BF4104BF11D35376ACB; _EDGE_V=1; SM=T
                  Source: global trafficHTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.9sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 200sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: */*sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=17255809B4C24F0495588900908FEA24.RefC=2025-03-04T20:51:11Z; USRLOC=; MUID=02516264065666BA1AF177C107DC6729; MUIDB=02516264065666BA1AF177C107DC6729; _EDGE_S=F=1&SID=1D14E4B834D36BF4104BF11D35376ACB; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=bb38bf83-cb82-4b05-aae3-446543972551; ai_session=SDVLFqoof6knU1+Q976gPW|1741121476304|1741121476304; sptmarket_restored=en-GB||us|en-us|en-us|en||cf=8|RefA=17255809B4C24F0495588900908FEA24.RefC=2025-03-04T20:51:11Z
                  Source: global trafficHTTP traffic detected: GET /edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true HTTP/1.1Host: ntp.msn.comConnection: keep-aliveCache-Control: max-age=0Accept: */*Service-Worker: scriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-edge-ntp: {"back_block":0,"bg_cur":{"configIndex":30,"imageId":"BB1msyO4","provider":"CMSImage","userSelected":false},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"myFeed","show_greet":true,"vt_opened":false,"wpo_nx":{"v":"2","wgt":{"src":"default"}}}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: serviceworkerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=17255809B4C24F0495588900908FEA24.RefC=2025-03-04T20:51:11Z; USRLOC=; MUID=02516264065666BA1AF177C107DC6729; MUIDB=02516264065666BA1AF177C107DC6729; _EDGE_S=F=1&SID=1D14E4B834D36BF4104BF11D35376ACB; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=bb38bf83-cb82-4b05-aae3-446543972551; ai_session=SDVLFqoof6knU1+Q976gPW|1741121476304|1741121476304; sptmarket_restored=en-GB||us|en-us|en-us|en||cf=8|RefA=17255809B4C24F0495588900908FEA24.RefC=2025-03-04T20:51:11Z
                  Source: global trafficHTTP traffic detected: POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1741121478016&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1Host: browser.events.data.msn.comConnection: keep-aliveContent-Length: 11444sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: text/plain;charset=UTF-8Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=02516264065666BA1AF177C107DC6729; _EDGE_S=F=1&SID=1D14E4B834D36BF4104BF11D35376ACB; _EDGE_V=1; _C_ETH=1; msnup=%7B%22cnex%22%3A%22no%22%7D
                  Source: global trafficHTTP traffic detected: POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1741121478028&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1Host: browser.events.data.msn.comConnection: keep-aliveContent-Length: 5011sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: text/plain;charset=UTF-8Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=02516264065666BA1AF177C107DC6729; _EDGE_S=F=1&SID=1D14E4B834D36BF4104BF11D35376ACB; _EDGE_V=1; _C_ETH=1; msnup=%7B%22cnex%22%3A%22no%22%7D
                  Source: global trafficHTTP traffic detected: POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1741121478984&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1Host: browser.events.data.msn.comConnection: keep-aliveContent-Length: 9364sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: text/plain;charset=UTF-8Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=02516264065666BA1AF177C107DC6729; _EDGE_S=F=1&SID=1D14E4B834D36BF4104BF11D35376ACB; _EDGE_V=1; _C_ETH=1; msnup=%7B%22cnex%22%3A%22no%22%7D
                  Source: global trafficHTTP traffic detected: POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1741121479318&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1Host: browser.events.data.msn.comConnection: keep-aliveContent-Length: 5396sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: text/plain;charset=UTF-8Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=02516264065666BA1AF177C107DC6729; _EDGE_S=F=1&SID=1D14E4B834D36BF4104BF11D35376ACB; _EDGE_V=1; msnup=%7B%22cnex%22%3A%22no%22%7D
                  Source: global trafficHTTP traffic detected: POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1741121479892&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1Host: browser.events.data.msn.comConnection: keep-aliveContent-Length: 5547sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: text/plain;charset=UTF-8Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=02516264065666BA1AF177C107DC6729; _EDGE_S=F=1&SID=1D14E4B834D36BF4104BF11D35376ACB; _EDGE_V=1; msnup=%7B%22cnex%22%3A%22no%22%7D
                  Source: global trafficHTTP traffic detected: GET /crx/blobs/ASuc5ohcoRYyASTWkAI21BvR0f-Aos7pzgW3GtD8ImYoX-O9Pl77join3GT-5wpD1vT_nG6xpJ0eds7JOZacv0OYNfBAee3mKSnMDx3-YDnz3J7UxfHM_wfhsyHz9Z8rajAAxlKa5T9frrLlN0KHGfJRu7Y7NseNtZ_M/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_89_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                  Source: global trafficHTTP traffic detected: POST /Albany-Texas.html?khoyg1efvd=9eVg8xh2FdMx6aJnqa1n0a3Vyj0pHE9BafML582Q6TZmj6Jcv67PaMMGq16tocrZ6Ct2mAWXx8nK%2FVCfeCbPeQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36c: QL8bqCwaL4MdQTHZUIL+cSROkcotroeHY099XhKGNOau0k/eX+oqKPvx8ZujdcDWSo7KWo9Vp19DWYTXcNcgj0m0jJW10LsLIr9i3dGQIGsqdB8BuM6xlOLzContent-Length: 113630Host: piaktrip.online
                  Source: global trafficHTTP traffic detected: POST /Albany-Texas.html?khoyg1efvd=9eVg8xh2FdMx6aJnqa1n0a3Vyj0pHE9BafML582Q6TZmj6Jcv67PaMMGq16tocrZ6Ct2mAWXx8nK%2FVCfeCbPeQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36c: QL8bqCwaL4MdQTHZUIL+cSROkcotroeHY099XhKGNOau0k/eX+oqKPvx8ZujdcDWSo7KWo9Vp19DWYTXcNcgj0m0jJW10LsLIr9i3dGQIGsqdB8BuM6xlOLzContent-Length: 745Host: piaktrip.online
                  Source: global trafficHTTP traffic detected: POST /Albany-Texas.html?khoyg1efvd=9eVg8xh2FdMx6aJnqa1n0a3Vyj0pHE9BafML582Q6TZmj6Jcv67PaMMGq16tocrZ6Ct2mAWXx8nK%2FVCfeCbPeQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36c: QL8bqCwaL4MdQTHZUIL+cSROkcotroeHY099XhKGNOau0k/eX+oqKPvx8ZujdcDWSo7KWo9Vp19DWYTXcNcgj0m0jJW10LsLIr9i3dGQIGsqdB8BuM6xlOLzContent-Length: 212Host: piaktrip.online
                  Source: global trafficHTTP traffic detected: POST /Albany-Texas.html?khoyg1efvd=9eVg8xh2FdMx6aJnqa1n0a3Vyj0pHE9BafML582Q6TZmj6Jcv67PaMMGq16tocrZ6Ct2mAWXx8nK%2FVCfeCbPeQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36c: QL8bqCwaL4MdQTHZUIL+cSROkcotroeHY099XhKGNOau0k/eX+oqKPvx8ZujdcDWSo7KWo9Vp19DWYTXcNcgj0m0jJW10LsLIr9i3dGQIGsqdB8BuM6xlOLzContent-Length: 380Host: piaktrip.online
                  Source: global trafficHTTP traffic detected: POST /Albany-Texas.html?khoyg1efvd=9eVg8xh2FdMx6aJnqa1n0a3Vyj0pHE9BafML582Q6TZmj6Jcv67PaMMGq16tocrZ6Ct2mAWXx8nK%2FVCfeCbPeQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36c: QL8bqCwaL4MdQTHZUIL+cSROkcotroeHY099XhKGNOau0k/eX+oqKPvx8ZujdcDWSo7KWo9Vp19DWYTXcNcgj0m0jJW10LsLIr9i3dGQIGsqdB8BuM6xlOLzContent-Length: 25734Host: piaktrip.online
                  Source: global trafficHTTP traffic detected: POST /Albany-Texas.html?khoyg1efvd=9eVg8xh2FdMx6aJnqa1n0a3Vyj0pHE9BafML582Q6TZmj6Jcv67PaMMGq16tocrZ6Ct2mAWXx8nK%2FVCfeCbPeQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36c: QL8bqCwaL4MdQTHZUIL+cSROkcotroeHY099XhKGNOau0k/eX+oqKPvx8ZujdcDWSo7KWo9Vp19DWYTXcNcgj0m0jJW10LsLIr9i3dGQIGsqdB8BuM6xlOLzContent-Length: 73805Host: piaktrip.online
                  Source: global trafficHTTP traffic detected: POST /Albany-Texas.html?khoyg1efvd=9eVg8xh2FdMx6aJnqa1n0a3Vyj0pHE9BafML582Q6TZmj6Jcv67PaMMGq16tocrZ6Ct2mAWXx8nK%2FVCfeCbPeQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36c: QL8bqCwaL4MdQTHZUIL+cSROkcotroeHY099XhKGNOau0k/eX+oqKPvx8ZujdcDWSo7KWo9Vp19DWYTXcNcgj0m0jJW10LsLIr9i3dGQIGsqdB8BuM6xlOLzContent-Length: 35Host: piaktrip.online
                  Source: global trafficHTTP traffic detected: OPTIONS /api/report?cat=bingbusiness HTTP/1.1Host: bzib.nelreports.netConnection: keep-aliveOrigin: https://business.bing.comAccess-Control-Request-Method: POSTAccess-Control-Request-Headers: content-typeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                  Source: global trafficHTTP traffic detected: POST /api/report?cat=bingbusiness HTTP/1.1Host: bzib.nelreports.netConnection: keep-aliveContent-Length: 475Content-Type: application/reports+jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                  Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                  Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                  Source: unknownTCP traffic detected without corresponding DNS query: 2.23.77.188
                  Source: unknownTCP traffic detected without corresponding DNS query: 2.23.77.188
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
                  Source: unknownTCP traffic detected without corresponding DNS query: 18.238.55.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 18.238.55.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 18.238.55.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.125.209.212
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.125.209.212
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.125.209.212
                  Source: unknownTCP traffic detected without corresponding DNS query: 18.238.55.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.219.82.88
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.219.82.88
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.219.82.88
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.219.82.88
                  Source: unknownTCP traffic detected without corresponding DNS query: 18.238.55.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.219.82.88
                  Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.219
                  Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.219
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.219.82.88
                  Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.219
                  Source: unknownTCP traffic detected without corresponding DNS query: 18.238.55.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.219
                  Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.219
                  Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.219
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
                  Source: unknownTCP traffic detected without corresponding DNS query: 18.238.55.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 18.238.55.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 18.238.55.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 18.238.55.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.125.209.212
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.125.209.212
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.125.209.212
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.125.209.212
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.125.209.212
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.125.209.212
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.219.82.88
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.219.82.88
                  Source: global trafficHTTP traffic detected: GET /SLAGGGLX.msi HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: undermymindops.com
                  Source: global trafficHTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531 HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                  Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/SSR-extension.b4dceb3fb90c199d68cd.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.35sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 200sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: */*sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=17255809B4C24F0495588900908FEA24.RefC=2025-03-04T20:51:11Z; USRLOC=; MUID=02516264065666BA1AF177C107DC6729; MUIDB=02516264065666BA1AF177C107DC6729; _EDGE_S=F=1&SID=1D14E4B834D36BF4104BF11D35376ACB; _EDGE_V=1
                  Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/web-worker.d3ac3ec818a0cdf01df5.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.35sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 200sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 3gAccept: */*sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: workerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=17255809B4C24F0495588900908FEA24.RefC=2025-03-04T20:51:11Z; USRLOC=; MUID=02516264065666BA1AF177C107DC6729; MUIDB=02516264065666BA1AF177C107DC6729; _EDGE_S=F=1&SID=1D14E4B834D36BF4104BF11D35376ACB; _EDGE_V=1
                  Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/vendors.5d0f28115e15fcff20c5.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                  Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/microsoft.4fa8815283fe3d88a934.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                  Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/common.ccf37a049089f68490a9.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                  Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/experience.3fa26ba080d24cc97170.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                  Source: global trafficHTTP traffic detected: GET /statics/icons/favicon_newtabpage.png HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=02516264065666BA1AF177C107DC6729; _EDGE_S=F=1&SID=1D14E4B834D36BF4104BF11D35376ACB; _EDGE_V=1
                  Source: global trafficHTTP traffic detected: GET /c.gif?rnd=1741121476309&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=17255809b4c24f0495588900908fea24&activityId=17255809b4c24f0495588900908fea24&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=02516264065666BA1AF177C107DC6729; _EDGE_S=F=1&SID=1D14E4B834D36BF4104BF11D35376ACB; _EDGE_V=1
                  Source: global trafficHTTP traffic detected: GET /b?rn=1741121476309&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=02516264065666BA1AF177C107DC6729&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                  Source: global trafficHTTP traffic detected: GET /b2?rn=1741121476309&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=02516264065666BA1AF177C107DC6729&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=1B746b2d242b982c5b4aac61741121477; XID=1B746b2d242b982c5b4aac61741121477
                  Source: global trafficHTTP traffic detected: GET /c.gif?rnd=1741121476309&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=17255809b4c24f0495588900908fea24&activityId=17255809b4c24f0495588900908fea24&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=3234A6CBF2364CC0B382933541EABC6B&MUID=02516264065666BA1AF177C107DC6729 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=02516264065666BA1AF177C107DC6729; _EDGE_S=F=1&SID=1D14E4B834D36BF4104BF11D35376ACB; _EDGE_V=1; SM=T
                  Source: global trafficHTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.9sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 200sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: */*sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=17255809B4C24F0495588900908FEA24.RefC=2025-03-04T20:51:11Z; USRLOC=; MUID=02516264065666BA1AF177C107DC6729; MUIDB=02516264065666BA1AF177C107DC6729; _EDGE_S=F=1&SID=1D14E4B834D36BF4104BF11D35376ACB; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=bb38bf83-cb82-4b05-aae3-446543972551; ai_session=SDVLFqoof6knU1+Q976gPW|1741121476304|1741121476304; sptmarket_restored=en-GB||us|en-us|en-us|en||cf=8|RefA=17255809B4C24F0495588900908FEA24.RefC=2025-03-04T20:51:11Z
                  Source: global trafficHTTP traffic detected: GET /edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true HTTP/1.1Host: ntp.msn.comConnection: keep-aliveCache-Control: max-age=0Accept: */*Service-Worker: scriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-edge-ntp: {"back_block":0,"bg_cur":{"configIndex":30,"imageId":"BB1msyO4","provider":"CMSImage","userSelected":false},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"myFeed","show_greet":true,"vt_opened":false,"wpo_nx":{"v":"2","wgt":{"src":"default"}}}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: serviceworkerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=17255809B4C24F0495588900908FEA24.RefC=2025-03-04T20:51:11Z; USRLOC=; MUID=02516264065666BA1AF177C107DC6729; MUIDB=02516264065666BA1AF177C107DC6729; _EDGE_S=F=1&SID=1D14E4B834D36BF4104BF11D35376ACB; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=bb38bf83-cb82-4b05-aae3-446543972551; ai_session=SDVLFqoof6knU1+Q976gPW|1741121476304|1741121476304; sptmarket_restored=en-GB||us|en-us|en-us|en||cf=8|RefA=17255809B4C24F0495588900908FEA24.RefC=2025-03-04T20:51:11Z
                  Source: global trafficHTTP traffic detected: GET /crx/blobs/ASuc5ohcoRYyASTWkAI21BvR0f-Aos7pzgW3GtD8ImYoX-O9Pl77join3GT-5wpD1vT_nG6xpJ0eds7JOZacv0OYNfBAee3mKSnMDx3-YDnz3J7UxfHM_wfhsyHz9Z8rajAAxlKa5T9frrLlN0KHGfJRu7Y7NseNtZ_M/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_89_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                  Source: global trafficHTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                  Source: IV_Ultra.exe, 0000000C.00000003.2404053241.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: 'nonce-JCxpLz9a70pnKCmC116pam7l0qcEoMZtNMtjbk5Ixzg=' 'self' 'report-sample' assets.msn.cn assets2.msn.cn assets.msn.com assets2.msn.com www.msn.com www.msn.cn c.s-microsoft.com/mscc/ geolocation.onetrust.com/cookieconsentpub/v1/geo/location https://www.clarity.ms platform.bing.com/geo/AutoSuggest/v1 www.bing.com/as/ www.bing.com/s/as/ www.youtube.com js.monitor.azure.com business.bing.com/msb/;worker-src * blob: equals www.youtube.com (Youtube)
                  Source: IV_Ultra.exe, 0000000C.00000003.2404053241.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: 'nonce-JCxpLz9a70pnKCmC116pam7l0qcEoMZtNMtjbk5Ixzg=' 'self' 'report-sample' assets.msn.cn assets2.msn.cn assets.msn.com assets2.msn.com www.msn.com www.msn.cn c.s-microsoft.com/mscc/ geolocation.onetrust.com/cookieconsentpub/v1/geo/location https://www.clarity.ms platform.bing.com/geo/AutoSuggest/v1 www.bing.com/as/ www.bing.com/s/as/ www.youtube.com js.monitor.azure.com business.bing.com/msb/;worker-src * blob:X-Robots-Tag: noindexX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1X-UA-Compatible: IE=Edge;chrome=1x-fabric-cluster: pmeprodeusreport-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://deff.nelreports.net/api/report?cat=msn"}]},{"group":"csp-endpoint","max_age":86400,"endpoints":[{"url":"https://deff.nelreports.net/api/report"}]}nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":0.5}Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Prefers-Color-Scheme, Device-Memory, Downlink, ECT, RTT, Sec-CH-DPRX-Ceto-ref: 67c767c62df04e10adf70de974d1754d|AFD:0A144FF3CC9A4004A677137CED0C8DA8|2025-03-04T20:51:18.937ZX-Cache: CONFIG_NOCACHEX-MSEdge-Ref: Ref A: 0A144FF3CC9A4004A677137CED0C8DA8 Ref B: EWR311000104025 Ref C: 2025-03-04T20:51:18ZDate: Tue, 04 Mar 2025 20:51:18 GMTConnection: close equals www.youtube.com (Youtube)
                  Source: IV_Ultra.exe, 0000000C.00000003.2404053241.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: 70pnKCmC116pam7l0qcEoMZtNMtjbk5Ixzg=' 'self' 'report-sample' assets.msn.cn assets2.msn.cn assets.msn.com assets2.msn.com www.msn.com www.msn.cn c.s-microsoft.com/mscc/ geolocation.onetrust.com/cookieconsentpub/v1/geo/location https://www.clarity.ms platform.bing.com/geo/AutoSuggest/v1 www.bing.com/as/ www.bing.com/s/as/ www.youtube.com js.monitor.azure.com business.bing.com/msb/;worker-src * blob: equals www.youtube.com (Youtube)
                  Source: IV_Ultra.exe, 0000000C.00000003.2404053241.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: 70pnKCmC116pam7l0qcEoMZtNMtjbk5Ixzg=' 'self' 'report-sample' assets.msn.cn assets2.msn.cn assets.msn.com assets2.msn.com www.msn.com www.msn.cn c.s-microsoft.com/mscc/ geolocation.onetrust.com/cookieconsentpub/v1/geo/location https://www.clarity.ms platform.bing.com/geo/AutoSuggest/v1 www.bing.com/as/ www.bing.com/s/as/ www.youtube.com js.monitor.azure.com business.bing.com/msb/;worker-src * blob:X-Robots-Tag: noindexX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1X-UA-Compatible: IE=Edge;chrome=1x-fabric-cluster: pmeprodeusreport-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://deff.nelreports.net/api/report?cat=msn"}]},{"group":"csp-endpoint","max_age":86400,"endpoints":[{"url":"https://deff.nelreports.net/api/report"}]}nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":0.5}Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Prefers-Color-Scheme, Device-Memory, Downlink, ECT, RTT, Sec-CH-DPRX-Ceto-ref: 67c767c62df04e10adf70de974d1754d|AFD:0A144FF3CC9A4004A677137CED0C8DA8|2025-03-04T20:51:18.937ZX-Cache: CONFIG_NOCACHEX-MSEdge-Ref: Ref A: 0A144FF3CC9A4004A677137CED0C8DA8 Ref B: EWR311000104025 Ref C: 2025-03-04T20:51:18ZDate: Tue, 04 Mar 2025 20:51:18 GMTConnection: closeP? equals www.youtube.com (Youtube)
                  Source: IV_Ultra.exe, 0000000C.00000003.2455768490.00000000082D3000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2436753734.00000000082D2000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2437138523.00000000082D3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: api.msn.com/auth/cookie/silentpassport https://api.msn.cn/auth/cookie/silentpassport https://www.msn.com https://www.msn.cn https://www.microsoftstart.com login.live.com login.microsoftonline.com www.bing.com/covid www.bing.com/rewardsapp/flyout www.bing.com/shop www.bing.com/shop/halloween www.bing.com/videos/search www.facebook.com www.odwebp.svc.ms www.youtube.com msn.pluto.tv www.bing.com/wpt/prefetchcib https://res.cdn.office.net/ business.bing.com sip: mailto: edge-auth.microsoft.com equals www.facebook.com (Facebook)
                  Source: IV_Ultra.exe, 0000000C.00000003.2455768490.00000000082D3000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2436753734.00000000082D2000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2437138523.00000000082D3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: api.msn.com/auth/cookie/silentpassport https://api.msn.cn/auth/cookie/silentpassport https://www.msn.com https://www.msn.cn https://www.microsoftstart.com login.live.com login.microsoftonline.com www.bing.com/covid www.bing.com/rewardsapp/flyout www.bing.com/shop www.bing.com/shop/halloween www.bing.com/videos/search www.facebook.com www.odwebp.svc.ms www.youtube.com msn.pluto.tv www.bing.com/wpt/prefetchcib https://res.cdn.office.net/ business.bing.com sip: mailto: edge-auth.microsoft.com equals www.youtube.com (Youtube)
                  Source: IV_Ultra.exe, 0000000C.00000003.2455768490.00000000082D3000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2436753734.00000000082D2000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2437138523.00000000082D3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: api.msn.com/auth/cookie/silentpassport https://api.msn.cn/auth/cookie/silentpassport https://www.msn.com https://www.msn.cn https://www.microsoftstart.com login.live.com login.microsoftonline.com www.bing.com/covid www.bing.com/rewardsapp/flyout www.bing.com/shop www.bing.com/shop/halloween www.bing.com/videos/search www.facebook.com www.odwebp.svc.ms www.youtube.com msn.pluto.tv www.bing.com/wpt/prefetchcib https://res.cdn.office.net/ business.bing.com sip: mailto: edge-auth.microsoft.comflate, br equals www.facebook.com (Facebook)
                  Source: IV_Ultra.exe, 0000000C.00000003.2455768490.00000000082D3000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2436753734.00000000082D2000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2437138523.00000000082D3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: api.msn.com/auth/cookie/silentpassport https://api.msn.cn/auth/cookie/silentpassport https://www.msn.com https://www.msn.cn https://www.microsoftstart.com login.live.com login.microsoftonline.com www.bing.com/covid www.bing.com/rewardsapp/flyout www.bing.com/shop www.bing.com/shop/halloween www.bing.com/videos/search www.facebook.com www.odwebp.svc.ms www.youtube.com msn.pluto.tv www.bing.com/wpt/prefetchcib https://res.cdn.office.net/ business.bing.com sip: mailto: edge-auth.microsoft.comflate, br equals www.youtube.com (Youtube)
                  Source: global trafficDNS traffic detected: DNS query: piaktrip.online
                  Source: global trafficDNS traffic detected: DNS query: undermymindops.com
                  Source: global trafficDNS traffic detected: DNS query: ntp.msn.com
                  Source: global trafficDNS traffic detected: DNS query: bzib.nelreports.net
                  Source: global trafficDNS traffic detected: DNS query: sb.scorecardresearch.com
                  Source: global trafficDNS traffic detected: DNS query: c.msn.com
                  Source: global trafficDNS traffic detected: DNS query: assets.msn.com
                  Source: global trafficDNS traffic detected: DNS query: api.msn.com
                  Source: global trafficDNS traffic detected: DNS query: chrome.cloudflare-dns.com
                  Source: global trafficDNS traffic detected: DNS query: tse1.mm.bing.net
                  Source: unknownDoH DNS queries detected: name: assets.msn.com
                  Source: unknownHTTP traffic detected: POST /Albany-Texas.html?khoyg1efvd=9eVg8xh2FdMx6aJnqa1n0a3Vyj0pHE9BafML582Q6TZmj6Jcv67PaMMGq16tocrZ6Ct2mAWXx8nK%2FVCfeCbPeQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 147Host: piaktrip.online
                  Source: global trafficHTTP traffic detected: HTTP/1.1 503 Service UnavailableServer: AkamaiGHostMime-Version: 1.0Content-Type: text/htmlContent-Length: 373Expires: Tue, 04 Mar 2025 20:51:12 GMTDate: Tue, 04 Mar 2025 20:51:12 GMTConnection: closePMUSER_FORMAT_QS: X-CDN-TraceId: 0.65f21602.1741121472.32661371Access-Control-Allow-Headers: *Access-Control-Allow-Credentials: falseAccess-Control-Allow-Methods: GET, OPTIONS, POSTAccess-Control-Allow-Origin: *
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2230878062.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2256467982.0000000008796000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2228669585.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2234749334.00000000084B0000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                  Source: IV_Ultra.exe, 0000000C.00000003.2451717585.00000000082D2000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2574587812.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2638130851.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2637834053.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2404616162.00000000082AF000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2621365178.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2434060318.00000000082D2000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2451976324.00000000082D3000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2545579864.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2578496500.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2434245748.00000000082D3000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2621022192.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2638714621.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2636250425.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2419181054.00000000082D3000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2418963495.00000000082D2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2230878062.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2256467982.0000000008796000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2228669585.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2234749334.00000000084B0000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                  Source: SplashWin.exe, 00000002.00000003.1778650852.0000000000912000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.0000000008791000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2256467982.0000000008ABA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: SplashWin.exe, 00000002.00000003.1778650852.0000000000912000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.0000000008791000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2256467982.0000000008ABA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
                  Source: SplashWin.exe, 00000002.00000003.1778650852.0000000000912000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.0000000008791000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2256467982.0000000008ABA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                  Source: SplashWin.exe, 00000002.00000003.1778650852.0000000000912000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.0000000008791000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2256467982.0000000008ABA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2230878062.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2256467982.0000000008796000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2228669585.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2234749334.00000000084B0000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                  Source: IV_Ultra.exe, 0000000C.00000003.2451717585.00000000082D2000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2574587812.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2638130851.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2637834053.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2404616162.00000000082AF000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2621365178.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2434060318.00000000082D2000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2451976324.00000000082D3000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2545579864.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2578496500.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2434245748.00000000082D3000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2621022192.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2638714621.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2636250425.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2419181054.00000000082D3000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2418963495.00000000082D2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2230878062.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2256467982.0000000008796000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2228669585.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2234749334.00000000084B0000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2230878062.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2256467982.0000000008796000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2228669585.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2234749334.00000000084B0000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2230878062.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2256467982.0000000008796000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2228669585.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2234749334.00000000084B0000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                  Source: SplashWin.exe, 00000002.00000003.1778650852.0000000000912000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.0000000008791000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2256467982.0000000008ABA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
                  Source: SplashWin.exe, 00000002.00000003.1778650852.0000000000912000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.0000000008791000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2256467982.0000000008ABA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                  Source: SplashWin.exe, 00000002.00000003.1778650852.0000000000912000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.0000000008791000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2256467982.0000000008ABA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                  Source: IV_Ultra.exe, 0000000C.00000003.2437432309.0000000008221000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2405454138.0000000008221000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2540111710.0000000008221000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2432795954.0000000008221000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://e5.i.lencr.org/0A
                  Source: IV_Ultra.exe, 0000000C.00000003.2437432309.0000000008221000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2405454138.0000000008221000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2540111710.0000000008221000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2432795954.0000000008221000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://e5.o.lencr.org0
                  Source: SplashWin.exe, 00000002.00000003.1778650852.0000000000912000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.0000000008791000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2256467982.0000000008ABA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: IV_Ultra.exe, 0000000C.00000003.2543646050.00000000082DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.dig
                  Source: IV_Ultra.exe, 0000000C.00000003.2451717585.00000000082D2000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2574587812.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2638130851.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2637834053.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2404616162.00000000082AF000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2621365178.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2434060318.00000000082D2000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2451976324.00000000082D3000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2545579864.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2578496500.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2434245748.00000000082D3000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2621022192.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2638714621.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2636250425.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2419181054.00000000082D3000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2418963495.00000000082D2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2230878062.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2256467982.0000000008796000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2228669585.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2234749334.00000000084B0000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0L
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2230878062.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2256467982.0000000008796000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2228669585.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2234749334.00000000084B0000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                  Source: SplashWin.exe, 00000002.00000003.1778650852.0000000000912000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.0000000008791000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2256467982.0000000008ABA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2230878062.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2256467982.0000000008796000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2228669585.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2234749334.00000000084B0000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2230878062.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2256467982.0000000008796000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2228669585.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2234749334.00000000084B0000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2230878062.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2256467982.0000000008796000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2228669585.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2234749334.00000000084B0000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2230878062.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2256467982.0000000008796000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2228669585.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2234749334.00000000084B0000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2230878062.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2256467982.0000000008796000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2228669585.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2234749334.00000000084B0000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000000.2059222937.00000001401E0000.00000002.00000001.01000000.00000010.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.???.xx/?search=%s
                  Source: IV_Ultra.exe, 0000000C.00000003.2230878062.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2256467982.0000000008796000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2228669585.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2234749334.00000000084B0000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                  Source: IV_Ultra.exe, 0000000C.00000003.2230878062.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2256467982.0000000008796000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2228669585.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2234749334.00000000084B0000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.flexerasoftware.com0
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009BB2000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A07C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F35000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.0000000002663000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009D92000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.info-zip.org/
                  Source: IV_Ultra.exe, 0000000C.00000003.2450408072.000000000822C000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2418032809.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2543068719.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2467547118.000000000822C000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2432952118.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                  Source: IV_Ultra.exe, 0000000C.00000003.2450408072.000000000822C000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2418032809.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2543068719.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2467547118.000000000822C000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2432952118.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.i
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000000.2059222937.00000001401E0000.00000002.00000001.01000000.00000010.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.softwareok.com
                  Source: IV_Ultra.exe, 0000000C.00000000.2059222937.00000001401F4000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.softwareok.com/?Download=Find.Same.Images.OK
                  Source: IV_Ultra.exe, 0000000C.00000000.2059222937.00000001401F4000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.softwareok.com/?Freeware/Find.Same.Images.OK
                  Source: IV_Ultra.exe, 0000000C.00000000.2059222937.00000001401F4000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.softwareok.com/?Freeware/Find.Same.Images.OK/History
                  Source: IV_Ultra.exe, 0000000C.00000000.2059222937.00000001401F4000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.softwareok.com/?seite=faq-Find.Same.Images.OK&faq=0
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000000.2059222937.00000001401E0000.00000002.00000001.01000000.00000010.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.softwareok.de
                  Source: IV_Ultra.exe, 0000000C.00000000.2059222937.00000001401F4000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.softwareok.de/?Download=Find.Same.Images.OK
                  Source: IV_Ultra.exe, 0000000C.00000000.2059222937.00000001401F4000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.softwareok.de/?Freeware/Find.Same.Images.OK
                  Source: IV_Ultra.exe, 0000000C.00000000.2059222937.00000001401F4000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.softwareok.de/?Freeware/Find.Same.Images.OK/History
                  Source: IV_Ultra.exe, 0000000C.00000000.2059222937.00000001401F4000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.softwareok.de/?seite=faq-Find.Same.Images.OK&faq=0
                  Source: cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.surfok.de/
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2230878062.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2256467982.0000000008796000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2228669585.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2234749334.00000000084B0000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2230878062.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2256467982.0000000008796000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2228669585.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2234749334.00000000084B0000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0/
                  Source: IV_Ultra.exe, 0000000C.00000003.2404616162.00000000082DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                  Source: IV_Ultra.exe, 0000000C.00000003.2404616162.00000000082DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                  Source: IV_Ultra.exe, 0000000C.00000003.2265845865.0000000002EAE000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266399722.0000000002EAE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: IV_Ultra.exe, 0000000C.00000003.2468582660.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2376332129.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://alekberg.net/privacy
                  Source: IV_Ultra.exe, 0000000C.00000003.2421167454.00000000082D3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.cn/auth/cookie/silentpassport
                  Source: IV_Ultra.exe, 0000000C.00000003.2455036190.0000000002E78000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2403339499.0000000002E78000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/MarketMismatchCoachMark.a03d30a2272eef7b7188.j
                  Source: IV_Ultra.exe, 0000000C.00000003.2404374426.0000000002E78000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/channel-data-connector.b857251407e592f709ce.js
                  Source: IV_Ultra.exe, 0000000C.00000003.2434060318.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2418963495.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2397179491.00000000082BA000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2451717585.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/clarity.36f98ce6150787681ef0.js
                  Source: IV_Ultra.exe, 0000000C.00000003.2434060318.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2418963495.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2397179491.00000000082BA000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2451717585.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/clarity.36f98ce6150787681ef0.js.47ef7b7188.jsa
                  Source: IV_Ultra.exe, 0000000C.00000003.2437717520.00000000082D2000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2438803742.00000000082D3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/common-feed-libs.12b30f1ad55deb148a9a.js
                  Source: IV_Ultra.exe, 0000000C.00000003.2437717520.00000000082D2000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2438803742.00000000082D3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/common-feed-libs.12b30f1ad55deb148a9a.js984&w=
                  Source: IV_Ultra.exe, 0000000C.00000003.2543646050.00000000082DC000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2418032809.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2432952118.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/common-settings-edgenext.a92053920d965765ecb6.
                  Source: IV_Ultra.exe, 0000000C.00000003.2418963495.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2418032809.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/common.ccf37a049089f68490a9.js
                  Source: IV_Ultra.exe, 0000000C.00000003.2418963495.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/common.ccf37a049089f68490a9.js5.47a.jsa
                  Source: IV_Ultra.exe, 0000000C.00000003.2418032809.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/common.ccf37a049089f68490a9.js7979c81063b95eee
                  Source: IV_Ultra.exe, 0000000C.00000003.2543434750.0000000002E78000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2421102538.0000000002E78000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2404374426.0000000002E78000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2437094452.0000000002E78000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2455646406.0000000002E78000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/cs-core-desktop_card-components_dist_card-bann
                  Source: IV_Ultra.exe, 0000000C.00000003.2420744262.0000000002E78000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2450827417.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2432952118.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/digest-card.85cfeee6ee4d102a4b71.js
                  Source: IV_Ultra.exe, 0000000C.00000003.2436565939.0000000002E78000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2450827417.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2455036190.0000000002E78000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2432952118.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/experience.3fa26ba080d24cc97170.js
                  Source: IV_Ultra.exe, 0000000C.00000003.2376332129.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/experiences_top-sites-edgenext-wc_dist_TopSite
                  Source: IV_Ultra.exe, 0000000C.00000003.2436237391.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2402960823.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/feedback.6a9b58a02a317bcb2465.js
                  Source: IV_Ultra.exe, 0000000C.00000003.2454644710.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2436237391.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/feedback.6a9b58a02a317bcb2465.js892&w=0
                  Source: IV_Ultra.exe, 0000000C.00000003.2454644710.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2420591440.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2436237391.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2402960823.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/feedback.6a9b58a02a317bcb2465.jssion
                  Source: IV_Ultra.exe, 0000000C.00000003.2401458020.00000000082D2000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2401786246.00000000082D3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/libs_location-service_dist_AutoSuggestService_
                  Source: IV_Ultra.exe, 0000000C.00000003.2455646406.0000000002E78000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/libs_topics-shared-state_dist_TopicData_connec
                  Source: IV_Ultra.exe, 0000000C.00000003.2432952118.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/microsoft.4fa8815283fe3d88a934.jsicData_connec
                  Source: IV_Ultra.exe, 0000000C.00000003.2434060318.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2454644710.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2436237391.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2437094452.0000000002E78000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/money-info-service.b867bae147464f8d8a02.js
                  Source: IV_Ultra.exe, 0000000C.00000003.2434060318.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2437094452.0000000002E78000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/money-info-service.b867bae147464f8d8a02.jsa
                  Source: IV_Ultra.exe, 0000000C.00000003.2451717585.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/nas-highlight-v3v4.38a4f083c7c7607ccda4.js
                  Source: IV_Ultra.exe, 0000000C.00000003.2450827417.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/nas-highlight-v3v4.38a4f083c7c7607ccda4.js240a
                  Source: IV_Ultra.exe, 0000000C.00000003.2450827417.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2451717585.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/nas-highlight-v3v4.38a4f083c7c7607ccda4.jsa
                  Source: IV_Ultra.exe, 0000000C.00000003.2467547118.0000000008265000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/nativeadstemplates.0610aec23b25fd495dd1.js
                  Source: IV_Ultra.exe, 0000000C.00000003.2467547118.0000000008265000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/nativeadstemplates.0610aec23b25fd495dd1.jsa
                  Source: IV_Ultra.exe, 0000000C.00000003.2543434750.0000000002EB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/nurturing-placement-manager.852a662b8fe0e45847
                  Source: IV_Ultra.exe, 0000000C.00000003.2436565939.0000000002E78000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2420744262.0000000002E78000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2455036190.0000000002E78000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2403339499.0000000002E78000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/ocvFeedback.c7b366c72ae6ca3a3d87.js
                  Source: IV_Ultra.exe, 0000000C.00000003.2436565939.0000000002E78000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2420744262.0000000002E78000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2455036190.0000000002E78000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2403339499.0000000002E78000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/ocvFeedback.c7b366c72ae6ca3a3d87.jsa
                  Source: IV_Ultra.exe, 0000000C.00000003.2436565939.0000000002E78000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2420744262.0000000002E78000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2455036190.0000000002E78000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2403339499.0000000002E78000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/super-nav.0559bdf8ce6c05205c5b.js
                  Source: IV_Ultra.exe, 0000000C.00000003.2436565939.0000000002E78000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2420744262.0000000002E78000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2455036190.0000000002E78000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2403339499.0000000002E78000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/super-nav.0559bdf8ce6c05205c5b.jsa
                  Source: IV_Ultra.exe, 0000000C.00000003.2636250425.0000000008265000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/service/news/feed/pages/weblayout?User=m-02516264065666BA1AF177C107DC6729&act
                  Source: IV_Ultra.exe, 0000000C.00000003.2405637375.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/service/segments/recoitems/weather?apikey=UhJ4G66OjyLbn9mXARgajXLiLw6V75sHnfp
                  Source: IV_Ultra.exe, 0000000C.00000003.2404374426.0000000002E78000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/taskbar_v10/Condition_Card/MostlySunnyD
                  Source: IV_Ultra.exe, 0000000C.00000003.2543434750.0000000002EB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://azureedge.net
                  Source: IV_Ultra.exe, 0000000C.00000003.2402960823.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2419378543.0000000008265000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-strea
                  Source: IV_Ultra.exe, 0000000C.00000003.2454644710.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2420591440.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2436237391.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://bzib.nelreports.net/api/report?cat=bingbusiness
                  Source: IV_Ultra.exe, 0000000C.00000003.2265845865.0000000002EAE000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266399722.0000000002EAE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: IV_Ultra.exe, 0000000C.00000003.2265845865.0000000002EAE000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266399722.0000000002EAE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: IV_Ultra.exe, 0000000C.00000003.2265845865.0000000002EAE000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266399722.0000000002EAE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: IV_Ultra.exe, 0000000C.00000003.2434416031.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2437432309.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2405454138.0000000008265000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://chrome.cloudflare-dns.com
                  Source: IV_Ultra.exe, 0000000C.00000003.2434416031.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2437432309.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2405454138.0000000008265000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://chrome.cloudflare-dns.com9
                  Source: IV_Ultra.exe, 0000000C.00000003.2468582660.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2376332129.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://chromium.dns.nextdns.io
                  Source: IV_Ultra.exe, 0000000C.00000003.2468582660.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2376332129.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://chromium.dns.nextdns.iohttps://nextdns.io/privacyr
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2230878062.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2256467982.0000000008796000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2228669585.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2234749334.00000000084B0000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2230878062.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2256467982.0000000008796000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2228669585.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2234749334.00000000084B0000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
                  Source: IV_Ultra.exe, 0000000C.00000003.2404053241.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/report
                  Source: IV_Ultra.exe, 0000000C.00000003.2404616162.00000000082AF000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2455341689.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2420921016.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2436753734.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/report&0
                  Source: IV_Ultra.exe, 0000000C.00000003.2455097130.00000000082D3000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2405454138.0000000008265000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                  Source: IV_Ultra.exe, 0000000C.00000003.2455341689.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2420921016.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2436753734.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn.net
                  Source: IV_Ultra.exe, 0000000C.00000003.2434416031.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2437432309.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2405454138.0000000008265000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn0
                  Source: IV_Ultra.exe, 0000000C.00000003.2455341689.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2420921016.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2436753734.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msna
                  Source: IV_Ultra.exe, 0000000C.00000003.2455341689.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2420921016.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2436753734.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msnom
                  Source: IV_Ultra.exe, 0000000C.00000003.2455341689.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2420921016.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2436753734.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/reportcat=msn
                  Source: IV_Ultra.exe, 0000000C.00000003.2404616162.00000000082AF000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2455341689.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2420921016.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2436753734.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/reportionS
                  Source: IV_Ultra.exe, 0000000C.00000003.2404616162.00000000082AF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations/
                  Source: IV_Ultra.exe, 0000000C.00000003.2404616162.00000000082AF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                  Source: IV_Ultra.exe, 0000000C.00000003.2404616162.00000000082AF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations/
                  Source: IV_Ultra.exe, 0000000C.00000003.2404616162.00000000082AF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                  Source: IV_Ultra.exe, 0000000C.00000003.2418498059.0000000002E78000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2433574540.0000000002E78000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2451123109.0000000002E78000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://developers.google.com/speed/public-dns/privacy
                  Source: IV_Ultra.exe, 0000000C.00000003.2418498059.0000000002E78000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2433574540.0000000002E78000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2451123109.0000000002E78000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://developers.google.com/speed/public-dns/privacyquery
                  Source: IV_Ultra.exe, 0000000C.00000003.2434621710.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2452733933.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2419588289.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2401458020.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dns.levonet.sk/dns-query
                  Source: IV_Ultra.exe, 0000000C.00000003.2468582660.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2376332129.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dns.quad9.net/dns-query
                  Source: IV_Ultra.exe, 0000000C.00000003.2468582660.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2376332129.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dns.sb/privacy/
                  Source: IV_Ultra.exe, 0000000C.00000003.2468582660.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2376332129.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dns.sb/privacy/Char
                  Source: IV_Ultra.exe, 0000000C.00000003.2434621710.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2452733933.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2419588289.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2401458020.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dns10.quad9.net/dns-query
                  Source: IV_Ultra.exe, 0000000C.00000003.2434621710.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2452733933.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2419588289.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2401458020.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dns11.quad9.net/dns-query
                  Source: IV_Ultra.exe, 0000000C.00000003.2434621710.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2452733933.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2419588289.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2401458020.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://doh-01.spectrum.com/dns-query
                  Source: IV_Ultra.exe, 0000000C.00000003.2434621710.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2452733933.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2419588289.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2401458020.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://doh-02.spectrum.com/dns-query
                  Source: IV_Ultra.exe, 0000000C.00000003.2451123109.0000000002E78000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://doh.cleanbrowsing.org/doh/adult-filter
                  Source: IV_Ultra.exe, 0000000C.00000003.2451123109.0000000002E78000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://doh.cleanbrowsing.org/doh/family-filter
                  Source: IV_Ultra.exe, 0000000C.00000003.2451123109.0000000002E78000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://doh.cleanbrowsing.org/doh/security-filter
                  Source: IV_Ultra.exe, 0000000C.00000003.2468582660.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2376332129.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://doh.cox.net/dns-query
                  Source: IV_Ultra.exe, 0000000C.00000003.2451123109.0000000002E78000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://doh.familyshield.opendns.com/dns-query
                  Source: IV_Ultra.exe, 0000000C.00000003.2434621710.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2452733933.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2419588289.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2401458020.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://doh.opendns.com/dns-query
                  Source: IV_Ultra.exe, 0000000C.00000003.2434621710.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2452733933.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2419588289.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2401458020.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://doh.quickline.ch/dns-query
                  Source: IV_Ultra.exe, 0000000C.00000003.2265845865.0000000002EAE000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266399722.0000000002EAE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: IV_Ultra.exe, 0000000C.00000003.2265845865.0000000002EAE000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266399722.0000000002EAE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: IV_Ultra.exe, 0000000C.00000003.2265845865.0000000002EAE000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266399722.0000000002EAE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: IV_Ultra.exe, 0000000C.00000003.2404616162.00000000082AF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com
                  Source: IV_Ultra.exe, 0000000C.00000003.2404616162.00000000082DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
                  Source: IV_Ultra.exe, 0000000C.00000003.2419378543.0000000008265000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset
                  Source: IV_Ultra.exe, 0000000C.00000003.2543731160.0000000002EB1000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2543434750.0000000002EB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset
                  Source: IV_Ultra.exe, 0000000C.00000003.2543731160.0000000002EB1000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2543434750.0000000002EB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset4B
                  Source: IV_Ultra.exe, 0000000C.00000003.2404374426.0000000002E78000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2397179491.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset
                  Source: IV_Ultra.exe, 0000000C.00000003.2405637375.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AA11MSkH
                  Source: IV_Ultra.exe, 0000000C.00000003.2543646050.00000000082DC000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2437432309.0000000008221000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2405454138.0000000008221000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2540111710.0000000008221000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2432795954.0000000008221000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AA13Q6AL
                  Source: IV_Ultra.exe, 0000000C.00000003.2543646050.00000000082DC000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2437432309.0000000008221000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2405454138.0000000008221000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2540111710.0000000008221000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2432795954.0000000008221000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AA13Q6ALLast-Modified:
                  Source: IV_Ultra.exe, 0000000C.00000003.2405637375.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AA1tU84U
                  Source: IV_Ultra.exe, 0000000C.00000003.2574587812.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2467547118.0000000008248000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2638130851.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2637834053.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2621365178.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2545579864.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2406073178.00000000082D3000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2578496500.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2450408072.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2405637375.00000000082D2000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2467547118.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2437432309.0000000008221000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2405454138.0000000008221000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2540111710.0000000008221000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2621022192.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2638714621.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2636250425.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2432795954.0000000008221000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AA1u24yb
                  Source: IV_Ultra.exe, 0000000C.00000003.2574587812.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2467547118.0000000008248000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2638130851.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2637834053.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2621365178.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2545579864.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2406073178.00000000082D3000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2578496500.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2450408072.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2405637375.00000000082D2000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2467547118.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2437432309.0000000008221000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2405454138.0000000008221000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2540111710.0000000008221000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2621022192.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2638714621.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2636250425.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2432795954.0000000008221000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AA1u24ybX-Source-Length:
                  Source: IV_Ultra.exe, 0000000C.00000003.2467547118.0000000008248000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2437432309.0000000008221000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2405454138.0000000008221000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2540111710.0000000008221000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2432795954.0000000008221000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AA1xc9H0
                  Source: IV_Ultra.exe, 0000000C.00000003.2467547118.0000000008248000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2437432309.0000000008221000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2405454138.0000000008221000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2540111710.0000000008221000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2432795954.0000000008221000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AA1xc9H0Last-Modified:
                  Source: IV_Ultra.exe, 0000000C.00000003.2543646050.00000000082DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAc9vHK
                  Source: IV_Ultra.exe, 0000000C.00000003.2543646050.00000000082DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAc9vHKLast-Modified:
                  Source: IV_Ultra.exe, 0000000C.00000003.2405637375.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAdTRDX
                  Source: IV_Ultra.exe, 0000000C.00000003.2405637375.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAdTRDX)
                  Source: IV_Ultra.exe, 0000000C.00000003.2405637375.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/BB1msDBP
                  Source: IV_Ultra.exe, 0000000C.00000003.2468582660.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2376332129.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
                  Source: IV_Ultra.exe, 0000000C.00000003.2468582660.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2376332129.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/Char
                  Source: IV_Ultra.exe, 0000000C.00000003.2434416031.0000000008233000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2419378543.0000000008233000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2402078229.0000000008233000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2452309391.0000000008233000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/
                  Source: IV_Ultra.exe, 0000000C.00000003.2543434750.0000000002EB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://msn.com
                  Source: IV_Ultra.exe, 0000000C.00000003.2468582660.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2376332129.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://nextdns.io/privacy
                  Source: IV_Ultra.exe, 0000000C.00000003.2405454138.0000000008221000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2540111710.0000000008221000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2402960823.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2432795954.0000000008221000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.
                  Source: IV_Ultra.exe, 0000000C.00000003.2455097130.00000000082D3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com
                  Source: IV_Ultra.exe, 0000000C.00000003.2636250425.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2437717520.00000000082AD000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2467547118.000000000822C000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2404053241.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2420788827.00000000082D3000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2468582660.00000000082BE000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2432952118.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2419181054.00000000082D3000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2454172947.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2432795954.0000000008221000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2420057701.00000000082D2000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2419378543.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2438803742.00000000082D3000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2418963495.00000000082D2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/
                  Source: IV_Ultra.exe, 0000000C.00000003.2402960823.00000000082D2000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2403622318.00000000082D3000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2420357849.00000000082D3000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2420057701.00000000082D2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/e6
                  Source: IV_Ultra.exe, 0000000C.00000003.2437717520.00000000082D2000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2438803742.00000000082D3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=288
                  Source: IV_Ultra.exe, 0000000C.00000003.2451717585.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New
                  Source: IV_Ultra.exe, 0000000C.00000003.2438803742.00000000082D3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&start
                  Source: IV_Ultra.exe, 0000000C.00000003.2454172947.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.comAccess-Control-Expose-Headers:
                  Source: IV_Ultra.exe, 0000000C.00000003.2574587812.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2638130851.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2637834053.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2621365178.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2545579864.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2578496500.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2621022192.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2638714621.0000000008265000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2636250425.0000000008265000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.comcache-control:public
                  Source: IV_Ultra.exe, 0000000C.00000003.2454172947.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2420057701.00000000082D2000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2455097130.00000000082D3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.comreport-to:
                  Source: IV_Ultra.exe, 0000000C.00000003.2406073178.00000000082D3000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2405637375.00000000082D2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.comx-as-suppresssetcookie:1cache-control:private
                  Source: IV_Ultra.exe, 0000000C.00000003.2468582660.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2376332129.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://odvr.nic.cz/doh
                  Source: IV_Ultra.exe, 0000000C.00000003.2434416031.0000000008233000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2419378543.0000000008233000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2402078229.0000000008233000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2452309391.0000000008233000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://permanently-removed.invalid/
                  Source: IV_Ultra.exe, 0000000C.00000003.2225598788.0000000000687000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://piaktrip.online/
                  Source: IV_Ultra.exe, 0000000C.00000003.2637282358.0000000002E0E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2226222196.0000000002E4F000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266219496.0000000002E4E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://piaktrip.online/Albany-Texas.html?khoyg1efvd=9eVg8xh2FdMx6aJnqa1n0a3Vyj0pHE9BafML582Q6TZmj6J
                  Source: IV_Ultra.exe, 0000000C.00000003.2216493328.0000000000687000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2273516634.0000000000687000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2273048658.0000000000687000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2225598788.0000000000687000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://piaktrip.online/G4ad
                  Source: IV_Ultra.exe, 0000000C.00000003.2214561637.0000000000687000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://piaktrip.online/c4Ed
                  Source: IV_Ultra.exe, 0000000C.00000003.2214561637.0000000000687000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://piaktrip.online/g4Ad
                  Source: IV_Ultra.exe, 0000000C.00000003.2611750364.0000000008161000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://piaktrip.online:443
                  Source: IV_Ultra.exe, 0000000C.00000003.2225887214.0000000000634000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2214561637.0000000000642000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2216493328.0000000000634000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2206036240.0000000000633000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2273516634.0000000000634000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2214561637.000000000062D000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2273048658.000000000062D000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2206550435.0000000000634000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2225598788.000000000062D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://piaktrip.online:443/Albany-Texas.html?khoyg1efvd=9eVg8xh2FdMx6aJnqa1n0a3Vyj0pHE9BafML582Q6TZ
                  Source: IV_Ultra.exe, 0000000C.00000003.2633650238.0000000008165000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2635554988.0000000008167000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://piaktrip.online:443;
                  Source: IV_Ultra.exe, 0000000C.00000003.2650655567.0000000008167000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://piaktrip.online:443x
                  Source: IV_Ultra.exe, 0000000C.00000003.2468582660.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2376332129.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://public.dns.iij.jp/
                  Source: IV_Ultra.exe, 0000000C.00000003.2401458020.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://public.dns.iij.jp/dns-query
                  Source: IV_Ultra.exe, 0000000C.00000003.2468582660.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2376332129.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://public.dns.iij.jp/r
                  Source: IV_Ultra.exe, 0000000C.00000003.2421167454.00000000082D3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/
                  Source: SplashWin.exe, 00000002.00000003.1778650852.0000000000912000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.0000000008791000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2256467982.0000000008ABA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                  Source: IV_Ultra.exe, 0000000C.00000003.2543646050.00000000082DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://sn.com
                  Source: IV_Ultra.exe, 0000000C.00000003.2579220782.0000000008817000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
                  Source: IV_Ultra.exe, 0000000C.00000003.2579220782.000000000881E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                  Source: IV_Ultra.exe, 0000000C.00000003.2579220782.000000000881E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
                  Source: IV_Ultra.exe, 0000000C.00000003.2267906093.00000000082C9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                  Source: IV_Ultra.exe, 0000000C.00000003.2267906093.00000000082A6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                  Source: IV_Ultra.exe, 0000000C.00000003.2267906093.00000000082C9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                  Source: IV_Ultra.exe, 0000000C.00000003.2267906093.00000000082A6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                  Source: IV_Ultra.exe, 0000000C.00000003.2404616162.00000000082AF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://t.ssl.ak.dynamic.tiles.virtualearth.net
                  Source: IV_Ultra.exe, 0000000C.00000003.2404616162.00000000082AF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://titlehub.xboxlive.com/users/
                  Source: IV_Ultra.exe, 0000000C.00000003.2225598788.0000000000687000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://undermymindops.com/
                  Source: IV_Ultra.exe, 0000000C.00000003.2273516634.0000000000687000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2273048658.0000000000687000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2225598788.0000000000687000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://undermymindops.com//5
                  Source: IV_Ultra.exe, 0000000C.00000003.2266219496.0000000002E4E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://undermymindops.com/SLAGGGLX.msi
                  Source: IV_Ultra.exe, 0000000C.00000003.2267625171.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2227888367.0000000002E4F000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2228486555.0000000002E4F000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2226365274.0000000002E4F000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2268975199.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2231675654.0000000002E4F000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2237200362.0000000002E4F000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266951516.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2231539486.0000000002E4F000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2269600707.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2270101370.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2226222196.0000000002E4F000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266219496.0000000002E4E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://undermymindops.com/SLAGGGLX.msiC
                  Source: IV_Ultra.exe, 0000000C.00000003.2267625171.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2227888367.0000000002E4F000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2228486555.0000000002E4F000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2226365274.0000000002E4F000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2268975199.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2231675654.0000000002E4F000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2237200362.0000000002E4F000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266951516.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2231539486.0000000002E4F000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2269600707.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2270101370.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2226222196.0000000002E4F000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266219496.0000000002E4E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://undermymindops.com/SLAGGGLX.msiChrome/119.0.0.0
                  Source: IV_Ultra.exe, 0000000C.00000002.2660941467.0000000002E4F000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2543924028.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2267625171.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2227888367.0000000002E4F000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2337415129.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2228486555.0000000002E4F000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2226365274.0000000002E4F000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2621684023.0000000002E4F000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2335509638.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2330277760.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2268975199.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2231675654.0000000002E4F000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2394967360.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2237200362.0000000002E4F000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266951516.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2231539486.0000000002E4F000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2575125476.0000000002E4F000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2269600707.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2270101370.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2325322898.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2343088328.0000000002E4E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://undermymindops.com/SLAGGGLX.msic
                  Source: IV_Ultra.exe, 0000000C.00000003.2273516634.0000000000687000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2273048658.0000000000687000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2225598788.0000000000687000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://undermymindops.com/SLAGGGLX.msiihgiflha)8
                  Source: IV_Ultra.exe, 0000000C.00000003.2404616162.00000000082AF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://user.auth.xboxlive.com/user/authenticate
                  Source: IV_Ultra.exe, 0000000C.00000003.2418498059.0000000002E78000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2433574540.0000000002E78000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2451123109.0000000002E78000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.cisco.com/c/en/us/about/legal/privacy-full.html
                  Source: IV_Ultra.exe, 0000000C.00000003.2404053241.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.clarity.ms
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2230878062.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2256467982.0000000008796000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2228669585.00000000082AB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2234749334.00000000084B0000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659999868.00000000026AC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139443882.0000000009DE8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                  Source: IV_Ultra.exe, 0000000C.00000003.2265845865.0000000002EAE000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266399722.0000000002EAE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: IV_Ultra.exe, 0000000C.00000003.2265845865.0000000002EAE000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266399722.0000000002EAE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: IV_Ultra.exe, 0000000C.00000003.2421167454.00000000082D3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.microsoftstart.com
                  Source: IV_Ultra.exe, 0000000C.00000003.2579220782.0000000008817000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
                  Source: IV_Ultra.exe, 0000000C.00000003.2579220782.000000000881E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                  Source: IV_Ultra.exe, 0000000C.00000003.2579220782.000000000881E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                  Source: IV_Ultra.exe, 0000000C.00000003.2579220782.000000000881E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                  Source: IV_Ultra.exe, 0000000C.00000003.2579220782.000000000881E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                  Source: IV_Ultra.exe, 0000000C.00000003.2579220782.000000000881E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                  Source: IV_Ultra.exe, 0000000C.00000003.2421167454.00000000082D3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.cn
                  Source: IV_Ultra.exe, 0000000C.00000003.2421167454.00000000082D3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com
                  Source: IV_Ultra.exe, 0000000C.00000003.2468582660.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2376332129.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.nic.cz/odvr/
                  Source: IV_Ultra.exe, 0000000C.00000003.2468582660.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2376332129.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.nic.cz/odvr/har
                  Source: IV_Ultra.exe, 0000000C.00000003.2434621710.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2452733933.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2419588289.00000000082A4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2401458020.00000000082A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.quad9.net/home/privacy/
                  Source: IV_Ultra.exe, 0000000C.00000003.2404616162.00000000082AF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com/xsts/authorize
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49865
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49864
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49863
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49862
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49861
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50139 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50063
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49859
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49858
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49881 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49866 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50039 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49858 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50069
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49943 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49861 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49847
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49864 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49672
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50023 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49828
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49827
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49943
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50139
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50138
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50137
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50052 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49818
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49816
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49885 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49862 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49891
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50023
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50046 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50030
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50138 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49882 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50039
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49885
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49863 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50063 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49882
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49881
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49880
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50137 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49891 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50046
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49880 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50030 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50052
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50069 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49866
                  Source: unknownHTTPS traffic detected: 172.67.137.87:443 -> 192.168.2.4:49738 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.137.87:443 -> 192.168.2.4:49739 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.137.87:443 -> 192.168.2.4:49740 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.58.202:443 -> 192.168.2.4:49741 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.137.87:443 -> 192.168.2.4:50023 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.137.87:443 -> 192.168.2.4:50030 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.137.87:443 -> 192.168.2.4:50039 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.137.87:443 -> 192.168.2.4:50046 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.137.87:443 -> 192.168.2.4:50052 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.137.87:443 -> 192.168.2.4:50063 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.137.87:443 -> 192.168.2.4:50069 version: TLS 1.2

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 42.2.cmd.exe.59600c8.8.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                  Source: 42.2.cmd.exe.59600c8.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                  Source: C:\Users\user\AppData\Local\Temp\pnhcfuktry, type: DROPPEDMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                  PE file has a writeable .text section
                  Source: ISRT.dll.27.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\664390.msiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{9374FAE6-FBA1-459B-ABA4-72029F0C0FDC}Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI48E0.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\664392.msiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\664392.msiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\664392.msiJump to behavior
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeCode function: 2_2_6CDC1E072_2_6CDC1E07
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeCode function: 2_2_6CDC14F22_2_6CDC14F2
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeCode function: 2_2_6CDC65FC2_2_6CDC65FC
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeCode function: 2_2_6CDC66D42_2_6CDC66D4
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeCode function: 2_2_6CDC66E42_2_6CDC66E4
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeCode function: 2_2_6CDC66182_2_6CDC6618
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeCode function: 2_2_6CDC53CC2_2_6CDC53CC
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8B1E073_2_6C8B1E07
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8B64943_2_6C8B6494
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8B14F23_2_6C8B14F2
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8B642C3_2_6C8B642C
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8B64583_2_6C8B6458
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8B65EC3_2_6C8B65EC
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8B66D43_2_6C8B66D4
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8B66E43_2_6C8B66E4
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8B66183_2_6C8B6618
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8B66343_2_6C8B6634
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8B51883_2_6C8B5188
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8B61BC3_2_6C8B61BC
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8B61B43_2_6C8B61B4
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8B61CC3_2_6C8B61CC
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8B61C03_2_6C8B61C0
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8B61DC3_2_6C8B61DC
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8B61D03_2_6C8B61D0
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8B61343_2_6C8B6134
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8B62843_2_6C8B6284
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8B625C3_2_6C8B625C
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8B62683_2_6C8B6268
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8B62643_2_6C8B6264
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8B62783_2_6C8B6278
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8B62743_2_6C8B6274
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8B53CC3_2_6C8B53CC
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8B53DC3_2_6C8B53DC
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8B53F83_2_6C8B53F8
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Ovum\SplashWin.exe C5E650B331FA5292872FDAEDE3A75C8167A0F1280CE0CD3D58B880D23854BDB1
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeCode function: String function: 6CDFE6CF appears 64 times
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeCode function: String function: 6CDFE69B appears 133 times
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: String function: 6C8EE69B appears 123 times
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: String function: 6C8EE6CF appears 39 times
                  Source: IV_Ultra.exe.4.drStatic PE information: Resource name: ZIP type: Zip archive data (empty)
                  Source: MSI2D36.tmp.26.drStatic PE information: Resource name: PUBLICKEY type: b.out overlay separate pure segmented executable V2.3 186 286 286 386 Large Text Large Data Huge Objects Enabled
                  Source: jlabmrfvefbf.4.drStatic PE information: Number of sections : 12 > 10
                  Source: 42.2.cmd.exe.59600c8.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                  Source: 42.2.cmd.exe.59600c8.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                  Source: C:\Users\user\AppData\Local\Temp\pnhcfuktry, type: DROPPEDMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                  Source: ISRT.dll.27.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ISRT.dll.27.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: IV_Ultra.exe, 0000000C.00000002.2660941467.0000000002E4F000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2543924028.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2267625171.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2227888367.0000000002E4F000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2337415129.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2206080130.0000000002E29000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2228486555.0000000002E4F000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2226365274.0000000002E4F000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2621684023.0000000002E4F000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2206130912.0000000002E49000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2335509638.0000000002E4E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *.sln
                  Source: classification engineClassification label: mal100.troj.spyw.evad.mine.winMSI@94/378@22/21
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeCode function: 2_2_6CDD2440 _Statvfs,GetDiskFreeSpaceExW,2_2_6CDD2440
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CML492E.tmpJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeMutant created: \Sessions\1\BaseNamedObjects\filemanager1
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1020:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7804:120:WilError_03
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF486C9BAD22C5AB77.TMPJump to behavior
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeCommand line argument: AnyViewer2_2_002619D0
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCommand line argument: AnyViewer3_2_003C19D0
                  Source: C:\Windows\SysWOW64\cmd.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: IV_Ultra.exe, 0000000C.00000003.2330277760.0000000002E84000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2330519946.0000000002E84000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: 09.msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 88.31%
                  Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\09.msi"
                  Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Local\Ovum\SplashWin.exe "C:\Users\user\AppData\Local\Ovum\SplashWin.exe"
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeProcess created: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exe C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exe
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\IV_Ultra.exe C:\Users\user\AppData\Local\Temp\IV_Ultra.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exe "C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exe"
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\IV_Ultra.exe C:\Users\user\AppData\Local\Temp\IV_Ultra.exe
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=2076,i,5311184627292398515,17036706081950836006,262144 /prefetch:3
                  Source: unknownProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2760 --field-trial-handle=2168,i,16747635326085741895,13319245746600739658,262144 /prefetch:3
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6400 --field-trial-handle=2168,i,16747635326085741895,13319245746600739658,262144 /prefetch:8
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6572 --field-trial-handle=2168,i,16747635326085741895,13319245746600739658,262144 /prefetch:8
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\CYItxzPUhQoJnHTfGuXZ6ErE9Q.msi"
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 305021050A5BAA6F4A95D8CB61DF4189 C
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F7184887-32E3-4F40-B3F2-25CD4A76721C}
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{66B4FEC0-0321-4CB0-94B1-8EE4FC51EFA0}
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8C73472D-1ECD-46CF-AD44-25EC24484AF3}
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5EEFA854-CCEA-47C9-BA19-347EEE2C708D}
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7096 --field-trial-handle=2168,i,16747635326085741895,13319245746600739658,262144 /prefetch:8
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8F988247-B80D-4DE7-B032-2409568AD7DD}
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7096 --field-trial-handle=2168,i,16747635326085741895,13319245746600739658,262144 /prefetch:8
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{12D4734F-ABA1-408C-AF28-6CDF344943E5}
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{461BE618-A6B3-4FAA-995B-143060AFC7A8}
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9679A2AA-0126-4D80-9B30-DFE27B8101B0}
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4F0880A5-CA83-4E20-90F4-C7F35DC81440}
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{627E1EB8-A17D-44C4-8B93-E801E2B953EA}
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\SplashWin.exe C:\Users\user\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\SplashWin.exe
                  Source: C:\Users\user\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\SplashWin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Local\Ovum\SplashWin.exe "C:\Users\user\AppData\Local\Ovum\SplashWin.exe"Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 305021050A5BAA6F4A95D8CB61DF4189 CJump to behavior
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeProcess created: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exe C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\IV_Ultra.exe C:\Users\user\AppData\Local\Temp\IV_Ultra.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\CYItxzPUhQoJnHTfGuXZ6ErE9Q.msi" Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\IV_Ultra.exe C:\Users\user\AppData\Local\Temp\IV_Ultra.exeJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=2076,i,5311184627292398515,17036706081950836006,262144 /prefetch:3Jump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2760 --field-trial-handle=2168,i,16747635326085741895,13319245746600739658,262144 /prefetch:3
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6400 --field-trial-handle=2168,i,16747635326085741895,13319245746600739658,262144 /prefetch:8
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6572 --field-trial-handle=2168,i,16747635326085741895,13319245746600739658,262144 /prefetch:8
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7096 --field-trial-handle=2168,i,16747635326085741895,13319245746600739658,262144 /prefetch:8
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7096 --field-trial-handle=2168,i,16747635326085741895,13319245746600739658,262144 /prefetch:8
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{461BE618-A6B3-4FAA-995B-143060AFC7A8}
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F7184887-32E3-4F40-B3F2-25CD4A76721C}
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{66B4FEC0-0321-4CB0-94B1-8EE4FC51EFA0}
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8C73472D-1ECD-46CF-AD44-25EC24484AF3}
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5EEFA854-CCEA-47C9-BA19-347EEE2C708D}
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8F988247-B80D-4DE7-B032-2409568AD7DD}
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{12D4734F-ABA1-408C-AF28-6CDF344943E5}
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{461BE618-A6B3-4FAA-995B-143060AFC7A8}
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9679A2AA-0126-4D80-9B30-DFE27B8101B0}
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4F0880A5-CA83-4E20-90F4-C7F35DC81440}
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{627E1EB8-A17D-44C4-8B93-E801E2B953EA}
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\SplashWin.exe C:\Users\user\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\SplashWin.exe
                  Source: C:\Users\user\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\SplashWin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeSection loaded: duilib_u.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeSection loaded: msvcp140.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeSection loaded: pla.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeSection loaded: pdh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeSection loaded: tdh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeSection loaded: wevtapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeSection loaded: shdocvw.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeSection loaded: duilib_u.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeSection loaded: msvcp140.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeSection loaded: pla.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeSection loaded: pdh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeSection loaded: tdh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeSection loaded: wevtapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeSection loaded: shdocvw.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bitsproxy.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: shdocvw.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeSection loaded: duilib_u.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeSection loaded: msvcp140.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeSection loaded: pla.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeSection loaded: pdh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeSection loaded: tdh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeSection loaded: wevtapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeSection loaded: shdocvw.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: shdocvw.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dll
                  Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dll
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dll
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dll
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dll
                  Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dll
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dll
                  Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dll
                  Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dll
                  Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dll
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dll
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dll
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\msiexec.exeSection loaded: version.dll
                  Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dll
                  Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dll
                  Source: C:\Windows\System32\msiexec.exeSection loaded: dwmapi.dll
                  Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dll
                  Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dll
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dll
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dll
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dll
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dll
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dll
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dll
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dll
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dll
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dll
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dll
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: riched32.dll
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: riched20.dll
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: usp10.dll
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msls31.dll
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sxs.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: sxs.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: sxs.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: sxs.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: sxs.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: sxs.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: sxs.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: sxs.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: sxs.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeSection loaded: sxs.dll
                  Source: C:\Users\user\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\SplashWin.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\SplashWin.exeSection loaded: duilib_u.dll
                  Source: C:\Users\user\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\SplashWin.exeSection loaded: vcruntime140.dll
                  Source: C:\Users\user\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\SplashWin.exeSection loaded: msvcp140.dll
                  Source: C:\Users\user\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\SplashWin.exeSection loaded: vcruntime140.dll
                  Source: C:\Users\user\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\SplashWin.exeSection loaded: dbghelp.dll
                  Source: C:\Users\user\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\SplashWin.exeSection loaded: pla.dll
                  Source: C:\Users\user\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\SplashWin.exeSection loaded: pdh.dll
                  Source: C:\Users\user\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\SplashWin.exeSection loaded: tdh.dll
                  Source: C:\Users\user\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\SplashWin.exeSection loaded: cabinet.dll
                  Source: C:\Users\user\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\SplashWin.exeSection loaded: wevtapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\SplashWin.exeSection loaded: shdocvw.dll
                  Source: C:\Users\user\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\SplashWin.exeSection loaded: winhttp.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: linkinfo.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntshrui.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cscapi.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bitsproxy.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32
                  Source: bbjhp.4.drLNK file: ..\..\Roaming\HostPower_debug\SplashWin.exe
                  Source: C:\Windows\SysWOW64\msiexec.exeFile written: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\IsConfig.ini
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Windows\SysWOW64\RICHED32.DLL
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: 09.msiStatic file information: File size 4784128 > 1048576
                  Source: Binary string: C:\CodeBases\isdev\Redist\Language Independent\i386\ISSetup.pdb source: IV_Ultra.exe, 0000000C.00000003.2279133019.0000000008791000.00000004.00000001.00020000.00000000.sdmp
                  Source: Binary string: E:\workdir\vc\rbin\RCClient\SplashWin.pdb,, source: SplashWin.exe, 00000002.00000002.1782818550.0000000000263000.00000002.00000001.01000000.00000003.sdmp, SplashWin.exe, 00000002.00000000.1770383634.0000000000263000.00000002.00000001.01000000.00000003.sdmp, SplashWin.exe, 00000003.00000002.1846312938.00000000003C3000.00000002.00000001.01000000.00000008.sdmp, SplashWin.exe, 00000003.00000000.1781085374.00000000003C3000.00000002.00000001.01000000.00000008.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2135285776.00000000003C3000.00000002.00000001.01000000.00000008.sdmp, SplashWin.exe, 0000000D.00000000.2067958543.00000000003C3000.00000002.00000001.01000000.00000008.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\profiles.ini source: IV_Ultra.exe, 0000000C.00000003.2638574146.0000000002E0E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2660843506.0000000002E0F000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2637282358.0000000002E0E000.00000004.00000001.00020000.00000000.sdmp
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: IV_Ultra.exe, 0000000C.00000003.2261053014.0000000002E96000.00000004.00000001.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: IV_Ultra.exe, 0000000C.00000003.2337415129.0000000002E38000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2268975199.0000000002E35000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2269600707.0000000002E36000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2343088328.0000000002E37000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266951516.0000000002E35000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2325322898.0000000002E38000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2270101370.0000000002E38000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2335509638.0000000002E35000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2267625171.0000000002E38000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2330277760.0000000002E38000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266219496.0000000002E37000.00000004.00000001.00020000.00000000.sdmp
                  Source: Binary string: E:\workdir\ProgramDatabase\DuiLib_u.pdbww3 source: SplashWin.exe, 00000002.00000002.1793492344.000000006CEB5000.00000002.00000001.01000000.00000004.sdmp, SplashWin.exe, 00000003.00000002.1857137337.000000006C9C5000.00000002.00000001.01000000.00000009.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2141554694.000000006F8A5000.00000002.00000001.01000000.00000009.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2) source: IV_Ultra.exe, 0000000C.00000003.2268975199.0000000002E35000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2269600707.0000000002E36000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266951516.0000000002E35000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2270101370.0000000002E38000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2267625171.0000000002E38000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266219496.0000000002E37000.00000004.00000001.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Local State source: IV_Ultra.exe, 0000000C.00000003.2267625171.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2268975199.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266951516.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2269600707.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2270101370.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266219496.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp
                  Source: Binary string: ntdll.pdb source: IV_Ultra.exe, 0000000C.00000002.2674808381.00000000064E8000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2663356752.00000000040EA000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2664344390.00000000042E2000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2672848996.00000000058E8000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2674584620.00000000062EA000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2662229473.0000000003CEB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2671296738.00000000050E5000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2673740155.0000000005CEF000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2670283623.0000000004CEF000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2671572313.00000000052EE000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2667614739.00000000044E4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2662535667.0000000003EE1000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2670820488.0000000004EE7000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2668217363.00000000046EB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659775386.0000000002263000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2660448962.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2674291069.00000000060EE000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2673991581.0000000005EE2000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2672500460.00000000056E8000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2672172154.00000000054EF000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2669004692.00000000048E6000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2669646512.0000000004AED000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2673112148.0000000005AE7000.00000004.00000001.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\Local Statez source: IV_Ultra.exe, 0000000C.00000003.2267625171.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2268975199.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266951516.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2269600707.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2270101370.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266219496.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdbUGP source: SplashWin.exe, 00000002.00000002.1792873424.000000000A287000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.1793040821.000000000A5E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1855076240.000000000A970000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854848554.000000000A61A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1855374245.000000000AD20000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101036061.0000000004BDD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101485878.00000000054B0000.00000004.00001000.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139873668.000000000A327000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2140019481.000000000A680000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2140200213.000000000AA3A000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365243923.0000000004858000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ntdll.pdbUGP source: IV_Ultra.exe, 0000000C.00000002.2674808381.00000000064E8000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2663356752.00000000040EA000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2664344390.00000000042E2000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2672848996.00000000058E8000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2674584620.00000000062EA000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2662229473.0000000003CEB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2671296738.00000000050E5000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2673740155.0000000005CEF000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2670283623.0000000004CEF000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2671572313.00000000052EE000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2667614739.00000000044E4000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2662535667.0000000003EE1000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2670820488.0000000004EE7000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2668217363.00000000046EB000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659775386.0000000002263000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2660448962.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2674291069.00000000060EE000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2673991581.0000000005EE2000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2672500460.00000000056E8000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2672172154.00000000054EF000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2669004692.00000000048E6000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2669646512.0000000004AED000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2673112148.0000000005AE7000.00000004.00000001.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: SplashWin.exe, 00000002.00000002.1792873424.000000000A287000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.1793040821.000000000A5E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1855076240.000000000A970000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854848554.000000000A61A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1855374245.000000000AD20000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101036061.0000000004BDD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101485878.00000000054B0000.00000004.00001000.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2139873668.000000000A327000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2140019481.000000000A680000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2140200213.000000000AA3A000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2365243923.0000000004858000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: E:\workdir\ProgramDatabase\DuiLib_u.pdb source: SplashWin.exe, 00000002.00000002.1793492344.000000006CEB5000.00000002.00000001.01000000.00000004.sdmp, SplashWin.exe, 00000003.00000002.1857137337.000000006C9C5000.00000002.00000001.01000000.00000009.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2241874081.00000000085BC000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2141554694.000000006F8A5000.00000002.00000001.01000000.00000009.sdmp
                  Source: Binary string: E:\workdir\vc\rbin\RCClient\SplashWin.pdb source: SplashWin.exe, 00000002.00000002.1782818550.0000000000263000.00000002.00000001.01000000.00000003.sdmp, SplashWin.exe, 00000002.00000000.1770383634.0000000000263000.00000002.00000001.01000000.00000003.sdmp, SplashWin.exe, 00000003.00000002.1846312938.00000000003C3000.00000002.00000001.01000000.00000008.sdmp, SplashWin.exe, 00000003.00000000.1781085374.00000000003C3000.00000002.00000001.01000000.00000008.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2135285776.00000000003C3000.00000002.00000001.01000000.00000008.sdmp, SplashWin.exe, 0000000D.00000000.2067958543.00000000003C3000.00000002.00000001.01000000.00000008.sdmp
                  Source: Binary string: D:\agent\_work\20\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: SplashWin.exe, 00000002.00000002.1787276931.00000000008F7000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.1793621503.000000006E541000.00000020.00000001.01000000.00000005.sdmp, SplashWin.exe, 00000003.00000002.1856927388.000000006C931000.00000020.00000001.01000000.0000000A.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.0000000008791000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2256467982.0000000008ABA000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2141181014.000000006F811000.00000020.00000001.01000000.0000000A.sdmp
                  Source: Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb source: ISBEW64.exe, 00000022.00000002.2367079261.00007FF6953F7000.00000002.00000001.01000000.0000001B.sdmp
                  Source: Binary string: winload_prod.pdb source: IV_Ultra.exe, 0000000C.00000003.2575125476.0000000002E4F000.00000004.00000001.00020000.00000000.sdmp
                  Source: Binary string: D:\agent\_work\20\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: SplashWin.exe, SplashWin.exe, 00000003.00000002.1856708594.000000006C8B1000.00000020.00000001.01000000.0000000B.sdmp, IV_Ultra.exe, 0000000C.00000003.2279133019.00000000084A9000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.2140961287.000000006CD61000.00000020.00000001.01000000.0000000B.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\Local State source: IV_Ultra.exe, 0000000C.00000003.2267625171.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2268975199.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266951516.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2269600707.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2270101370.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266219496.0000000002E4E000.00000004.00000001.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: IV_Ultra.exe, 0000000C.00000003.2268975199.0000000002E35000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2269600707.0000000002E36000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266951516.0000000002E35000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2270101370.0000000002E38000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2267625171.0000000002E38000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2266219496.0000000002E37000.00000004.00000001.00020000.00000000.sdmp
                  Source: initial sampleStatic PE information: section where entry point is pointing to: .rsrc
                  Source: pnhcfuktry.42.drStatic PE information: real checksum: 0x0 should be: 0xd5efd
                  Source: DuiLib_u.dll.2.drStatic PE information: real checksum: 0xda891 should be: 0xe665e
                  Source: _isres_0x0409.dll.27.drStatic PE information: real checksum: 0x0 should be: 0x1c5ec2
                  Source: jlabmrfvefbf.4.drStatic PE information: real checksum: 0x28e1bd should be: 0x286a77
                  Source: DuiLib_u.dll.27.drStatic PE information: real checksum: 0xda891 should be: 0xe665e
                  Source: MSI2D36.tmp.26.drStatic PE information: real checksum: 0x0 should be: 0x2939f3
                  Source: DuiLib_u.dll.1.drStatic PE information: real checksum: 0xda891 should be: 0xe665e
                  Source: msvcp140.dll.1.drStatic PE information: section name: .didat
                  Source: msvcp140.dll.2.drStatic PE information: section name: .didat
                  Source: IV_Ultra.exe.4.drStatic PE information: section name: Shared
                  Source: jlabmrfvefbf.4.drStatic PE information: section name: .xdata
                  Source: jlabmrfvefbf.4.drStatic PE information: section name: yvwxu
                  Source: MSI2D36.tmp.26.drStatic PE information: section name: .orpc
                  Source: msvcp140.dll.27.drStatic PE information: section name: .didat
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeCode function: 2_2_00262A26 push ecx; ret 2_2_00262A39
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeCode function: 2_2_6CDFE675 push ecx; ret 2_2_6CDFE688
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeCode function: 2_2_6CDC1119 pushad ; retn 0000h2_2_6CDC12B0
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_003C2A26 push ecx; ret 3_2_003C2A39
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8EE675 push ecx; ret 3_2_6C8EE688
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8B1119 pushad ; retn 0000h3_2_6C8B12B0
                  Source: ISRT.dll.27.drStatic PE information: section name: .text entropy: 7.9838191086194135
                  Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\_isres_0x0409.dllJump to dropped file
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\jlabmrfvefbfJump to dropped file
                  Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\SplashWin.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeFile created: C:\Users\user\AppData\Roaming\HostPower_debug\DuiLib_u.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeFile created: C:\Users\user\AppData\Roaming\HostPower_debug\msvcp140.dllJump to dropped file
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\pnhcfuktryJump to dropped file
                  Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\vcruntime140.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeFile created: C:\Users\user\AppData\Roaming\HostPower_debug\vcruntime140.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Ovum\DuiLib_u.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Ovum\vcruntime140.dllJump to dropped file
                  Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\DuiLib_u.dllJump to dropped file
                  Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\msvcp140.dllJump to dropped file
                  Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISRT.dllJump to dropped file
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\qbucegslohfhJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2D36.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Ovum\msvcp140.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2AD3.tmpJump to dropped file
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Ovum\SplashWin.exeJump to dropped file
                  Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISBEW64.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeFile created: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeJump to dropped file
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\jlabmrfvefbfJump to dropped file
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\qbucegslohfhJump to dropped file
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\pnhcfuktryJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Found hidden mapped module (file has been removed from disk)
                  Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\JLABMRFVEFBF
                  Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\QBUCEGSLOHFH
                  Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\PNHCFUKTRY
                  Uses known network protocols on non-standard ports
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50103 -> 9000
                  Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 50103
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeAPI/Special instruction interceptor: Address: 6CAB7C44
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeAPI/Special instruction interceptor: Address: 6CAB7C44
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeAPI/Special instruction interceptor: Address: 6CAB7945
                  Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 6CAB3B54
                  Source: C:\Users\user\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\SplashWin.exeAPI/Special instruction interceptor: Address: 6BB97C44
                  Source: C:\Users\user\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\SplashWin.exeAPI/Special instruction interceptor: Address: 6BB97945
                  Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 6BB93B54
                  Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\_isres_0x0409.dllJump to dropped file
                  Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jlabmrfvefbfJump to dropped file
                  Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pnhcfuktryJump to dropped file
                  Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{4DE40933-26C7-4A77-A2A0-AD0C410AD9C1}\ISRT.dllJump to dropped file
                  Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qbucegslohfhJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2D36.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2AD3.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeAPI coverage: 1.0 %
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exe TID: 2688Thread sleep time: -120000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exe TID: 2000Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeCode function: 2_2_6CDD20D0 _Open_dir,FindFirstFileExW,__Read_dir,FindClose,2_2_6CDD20D0
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8C20D0 _Open_dir,FindFirstFileExW,__Read_dir,FindClose,3_2_6C8C20D0
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeCode function: 2_2_6CDFF71A VirtualQuery,GetSystemInfo,2_2_6CDFF71A
                  Source: cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noreply@vmware.com0
                  Source: cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0
                  Source: cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1!0
                  Source: cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0/
                  Source: IV_Ultra.exe, 0000000C.00000003.2206768390.0000000000642000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659167993.000000000062D000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2225598788.0000000000642000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2225887214.0000000000634000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2214561637.0000000000642000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2216493328.0000000000634000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2206036240.0000000000642000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2273516634.0000000000642000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000002.2659167993.0000000000642000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2216493328.0000000000642000.00000004.00000020.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2206036240.0000000000633000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1
                  Source: cmd.exe, 0000000E.00000002.2365541260.0000000004BFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.0
                  Source: IV_Ultra.exe, 0000000C.00000002.2659167993.00000000005CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: IV_Ultra.exe, 0000000C.00000003.2469003726.0000000002E78000.00000004.00000001.00020000.00000000.sdmp, IV_Ultra.exe, 0000000C.00000003.2384061285.0000000002E78000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeCode function: 2_2_0026264A IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0026264A
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeCode function: 2_2_002614C0 GetProcessHeap,__Init_thread_footer,__Init_thread_footer,2_2_002614C0
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Local\Ovum\SplashWin.exe "C:\Users\user\AppData\Local\Ovum\SplashWin.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeCode function: 2_2_00262529 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00262529
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeCode function: 2_2_0026264A IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0026264A
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeCode function: 2_2_002627E0 SetUnhandledExceptionFilter,2_2_002627E0
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeCode function: 2_2_6CDFEEB8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_6CDFEEB8
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeCode function: 2_2_6CDFF27B IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6CDFF27B
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_003C2529 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_003C2529
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_003C264A IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_003C264A
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_003C27E0 SetUnhandledExceptionFilter,3_2_003C27E0
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8EEEB8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6C8EEEB8
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_6C8EF27B IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6C8EF27B

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Found direct / indirect Syscall (likely to bypass EDR)
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtMapViewOfSection: Direct from: 0x7FF76AEF020BJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76B002AFDJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtCreateThreadEx: Direct from: 0x7FF76AE93EDBJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtQueryValueKey: Direct from: 0x14011D93EJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76AF8B02FJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76AFFD0BAJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76AF84DD1Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtClose: Direct from: 0x7FF76AF3F8A6
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtSetInformationProcess: Direct from: 0x7FF76AF40221Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtClose: Indirect: 0x14012000F
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtMapViewOfSection: Direct from: 0x7FF76AEA3736Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtReadVirtualMemory: Direct from: 0x7FF76AFFE98DJump to behavior
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeNtQuerySystemInformation: Direct from: 0x6CE43538Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtReadVirtualMemory: Direct from: 0x7FF76B0A8461Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtReadVirtualMemory: Direct from: 0x7FF76AFFEA88Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtSetInformationProcess: Direct from: 0x7FF76AF3EF6FJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76AFFEFB6Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FFE221C26A1Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtReadVirtualMemory: Direct from: 0x7FF76AFFA164Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76B0ABBCBJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtQueryValueKey: Direct from: 0x7FF76AF5A3F7Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76AEA1563Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76AF57A71Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x14011D808Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtSetInformationProcess: Direct from: 0x7FF76AF2E9C5Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtClose: Direct from: 0x7FF76AF881C5
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtQueryInformationProcess: Direct from: 0x7FF76AF3F538Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtDelayExecution: Direct from: 0x7FF76B024E31Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtQueryInformationProcess: Direct from: 0x7FF76AFAC657Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtCreateFile: Direct from: 0x7FF76B0A8715Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76AF870E2Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtEnumerateValueKey: Direct from: 0x7FF76AFE730BJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtQueryInformationProcess: Direct from: 0x7FF76AFF8DC9Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76AF3B662Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76B00AE4AJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtQueryInformationProcess: Direct from: 0x7FF76B05F909Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtClose: Direct from: 0x7FF76B0ACE40
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtTerminateProcess: Direct from: 0x7FF76AF3E42EJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtReadFile: Direct from: 0x7FF76AF39E74Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtCreateThreadEx: Direct from: 0x7FF76AE93758Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76AF50E93Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeNtProtectVirtualMemory: Direct from: 0x6CA42C98Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtReadVirtualMemory: Direct from: 0x7FF76AFFEB15Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtDelayExecution: Direct from: 0x7FF76B01F2E3Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeNtQuerySystemInformation: Direct from: 0x6C953538Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76AEA9DB1Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtQueryValueKey: Direct from: 0x7FF76AF5B413Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtCreateThreadEx: Direct from: 0x7FF76AF39B6CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtCreateFile: Direct from: 0x7FF76AF39D27Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76AEA69C2Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76AFD1BACJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76AEB3469Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76AEA640EJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76AE9D0E0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtClose: Direct from: 0x7FF76B0ACE32
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtClose: Direct from: 0x14011D864
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76AF3942AJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FFE221E4B5EJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtDeviceIoControlFile: Direct from: 0x7FF76AFB5769Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtDelayExecution: Direct from: 0x7FF76B032109Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76AE9E8A8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtCreateThreadEx: Direct from: 0x7FF76B05C2A8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtSetInformationProcess: Direct from: 0x7FF76AFF97F6Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtMapViewOfSection: Direct from: 0x7FF76B0AB7AAJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtClose: Direct from: 0x7FF76B0ACE1E
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtSetInformationThread: Direct from: 0x7FF76B0B7E9EJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76AEF160CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76AF52912Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtCreateThreadEx: Direct from: 0x7FF76AE938EDJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76AE93612Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76B004657Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtQueryValueKey: Direct from: 0x7FF76AF5A5E7Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtReadVirtualMemory: Direct from: 0x7FF76AFFA63EJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76AE99717Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtQueryInformationProcess: Direct from: 0x7FF76AFF9755Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76AE9F173Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76B001023Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtOpenKeyEx: Direct from: 0x7FF76AF59EE0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76AEA133DJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtCreateMutant: Direct from: 0x7FF76B0B1130Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76B030BABJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76AE9FA65Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtSetInformationProcess: Direct from: 0x7FF76AFF9B01Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtReadVirtualMemory: Direct from: 0x7FF76AFF9F85Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76AF3925AJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtReadFile: Direct from: 0x14011D832Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76AF32980Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtSetInformationProcess: Direct from: 0x7FF76B05DA18Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtSetInformationProcess: Direct from: 0x7FF76AF2EDAFJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtCreateFile: Direct from: 0x14011D7A4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76AF35FAAJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76AF50EEBJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtQueryInformationProcess: Direct from: 0x7FF76B0061D3Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtQueryInformationProcess: Direct from: 0x7FF76AF3F040Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76AEB5DEFJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtQueryValueKey: Direct from: 0x7FF76AF5AF54Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtDelayExecution: Direct from: 0x7FF76B026127Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x140120A3CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtReadVirtualMemory: Direct from: 0x7FF76B006496Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeNtAllocateVirtualMemory: Direct from: 0x7FF76AE912F8Jump to behavior
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read writeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\IV_Ultra.exe protection: read writeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read writeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\IV_Ultra.exe protection: read writeJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeSection loaded: NULL target: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe protection: readonly
                  Source: C:\Users\user\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\SplashWin.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: unknown protection: read write
                  Writes to foreign memory regions
                  Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Users\user\AppData\Local\Temp\IV_Ultra.exe base: 14011BC08Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Users\user\AppData\Local\Temp\IV_Ultra.exe base: 34D010Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Users\user\AppData\Local\Temp\IV_Ultra.exe base: 14011BC08Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Users\user\AppData\Local\Temp\IV_Ultra.exe base: 30F010Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6A931000
                  Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: A5E008
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\IV_Ultra.exe C:\Users\user\AppData\Local\Temp\IV_Ultra.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\CYItxzPUhQoJnHTfGuXZ6ErE9Q.msi" Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\IV_Ultra.exe C:\Users\user\AppData\Local\Temp\IV_Ultra.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\SplashWin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
                  Source: IV_Ultra.exe, 0000000C.00000003.2279133019.0000000008791000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ?OPTYPE_PROGMAN_FIELDSWWW
                  Source: SplashWin.exe, 00000002.00000002.1791930552.0000000009C08000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1854031546.000000000A0D2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2101160427.0000000004F7E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: )[%d] Shell_TrayWndTrayNotifyWnd
                  Source: IV_Ultra.exe, 0000000C.00000003.2279133019.0000000008791000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ISLOG_VERSION_INFO..\..\..\Shared\LogServices2\LogDB.cppOPTYPE_PROGMANISLOGDB_USER_PROPERTIES
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeCode function: 2_2_00262835 cpuid 2_2_00262835
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeCode function: _Getdateorder,___lc_locale_name_func,__crtGetLocaleInfoEx,2_2_6CDE7770
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeCode function: __crtGetLocaleInfoEx,GetLocaleInfoEx,?isfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAEXXZ,GetLocaleInfoEx,GetLocaleInfoW,2_2_6CDCC160
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: _Getdateorder,___lc_locale_name_func,__crtGetLocaleInfoEx,3_2_6C8D7770
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: __crtGetLocaleInfoEx,GetLocaleInfoEx,?isfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAEXXZ,GetLocaleInfoEx,GetLocaleInfoW,3_2_6C8BC160
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeCode function: 2_2_00262B75 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,2_2_00262B75
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: 42.2.cmd.exe.59600c8.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.cmd.exe.59600c8.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000002A.00000002.2684247867.0000000005960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\pnhcfuktry, type: DROPPED
                  Tries to harvest and steal Bitcoin Wallet information
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-QtJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeKey opened: HKEY_CURRENT_USER\Software\monero-project\monero-coreJump to behavior
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2 OverrideJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\ProfilesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-releaseJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\z6bny8rn.defaultJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\IV_Ultra.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                  Source: Yara matchFile source: 42.2.cmd.exe.59600c8.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.cmd.exe.59600c8.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000002A.00000002.2684247867.0000000005960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\pnhcfuktry, type: DROPPED

                  Remote Access Functionality

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: 42.2.cmd.exe.59600c8.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 42.2.cmd.exe.59600c8.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000002A.00000002.2684247867.0000000005960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\pnhcfuktry, type: DROPPED
                  Source: C:\Users\user\AppData\Local\Ovum\SplashWin.exeCode function: 2_2_002613A0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,2_2_002613A0
                  Source: C:\Users\user\AppData\Roaming\HostPower_debug\SplashWin.exeCode function: 3_2_003C13A0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,3_2_003C13A0

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure1
                  Replication Through Removable Media                  		2
                  Command and Scripting Interpreter                  		11
                  DLL Side-Loading                  		1
                  Abuse Elevation Control Mechanism                  		1
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		1
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		3
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  Registry Run Keys / Startup Folder                  		11
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		1
                  Credentials in Registry                  		11
                  Peripheral Device Discovery                  		Remote Desktop Protocol11
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)212
                  Process Injection                  		1
                  Abuse Elevation Control Mechanism                  		Security Account Manager13
                  File and Directory Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive11
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                  Registry Run Keys / Startup Folder                  		3
                  Obfuscated Files or Information                  		NTDS147
                  System Information Discovery                  		Distributed Component Object ModelInput Capture4
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                  Software Packing                  		LSA Secrets121
                  Security Software Discovery                  		SSHKeylogging15
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                  DLL Side-Loading                  		Cached Domain Credentials1
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  File Deletion                  		DCSync2
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                  Masquerading                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Virtualization/Sandbox Evasion                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron212
                  Process Injection                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1629575 Sample: 09.msi Startdate: 04/03/2025 Architecture: WINDOWS Score: 100 110 undermymindops.com 2->110 112 tse1.mm.bing.net 2->112 114 4 other IPs or domains 2->114 132 Suricata IDS alerts for network traffic 2->132 134 Malicious sample detected (through community Yara rule) 2->134 136 Antivirus detection for URL or domain 2->136 138 5 other signatures 2->138 12 msiexec.exe 80 40 2->12         started        15 SplashWin.exe 1 2->15         started        18 msedge.exe 2->18         started        21 2 other processes 2->21 signatures3 process4 dnsIp5 102 C:\Users\user\AppData\Local\...\SplashWin.exe, PE32 12->102 dropped 104 C:\Users\user\AppData\...\vcruntime140.dll, PE32 12->104 dropped 106 C:\Users\user\AppData\Local\...\msvcp140.dll, PE32 12->106 dropped 108 C:\Users\user\AppData\Local\...\DuiLib_u.dll, PE32 12->108 dropped 23 SplashWin.exe 7 12->23         started        27 msiexec.exe 12->27         started        170 Maps a DLL or memory area into another process 15->170 29 cmd.exe 2 15->29         started        116 192.168.2.4, 138, 15847, 443 unknown unknown 18->116 118 192.168.2.17 unknown unknown 18->118 120 239.255.255.250 unknown Reserved 18->120 31 msedge.exe 18->31         started        34 msedge.exe 18->34         started        36 msedge.exe 18->36         started        38 2 other processes 18->38 file6 signatures7 process8 dnsIp9 80 C:\Users\user\AppData\...\SplashWin.exe, PE32 23->80 dropped 82 C:\Users\user\AppData\...\vcruntime140.dll, PE32 23->82 dropped 84 C:\Users\user\AppData\...\msvcp140.dll, PE32 23->84 dropped 86 C:\Users\user\AppData\...\DuiLib_u.dll, PE32 23->86 dropped 140 Switches to a custom stack to bypass stack traces 23->140 142 Found direct / indirect Syscall (likely to bypass EDR) 23->142 40 SplashWin.exe 1 23->40         started        88 C:\Users\user\AppData\Local\...\SplashWin.exe, PE32 27->88 dropped 90 C:\Users\user\AppData\...\vcruntime140.dll, PE32 27->90 dropped 92 C:\Users\user\AppData\Local\...\msvcp140.dll, PE32 27->92 dropped 94 4 other files (none is malicious) 27->94 dropped 43 SplashWin.exe 27->43         started        45 ISBEW64.exe 27->45         started        47 ISBEW64.exe 27->47         started        53 8 other processes 27->53 144 Writes to foreign memory regions 29->144 146 Maps a DLL or memory area into another process 29->146 49 IV_Ultra.exe 29->49         started        51 conhost.exe 29->51         started        126 c-msn-pme.trafficmanager.net 13.74.129.1, 443, 49790 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->126 128 20.125.209.212, 443, 49859 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->128 130 27 other IPs or domains 31->130 file10 signatures11 process12 signatures13 148 Maps a DLL or memory area into another process 40->148 150 Switches to a custom stack to bypass stack traces 40->150 152 Found direct / indirect Syscall (likely to bypass EDR) 40->152 55 cmd.exe 5 40->55         started        59 cmd.exe 43->59         started        process14 file15 96 C:\Users\user\AppData\Local\...\IV_Ultra.exe, PE32+ 55->96 dropped 98 C:\Users\user\AppData\Local\...\jlabmrfvefbf, PE32+ 55->98 dropped 154 Writes to foreign memory regions 55->154 156 Found hidden mapped module (file has been removed from disk) 55->156 158 Maps a DLL or memory area into another process 55->158 160 Switches to a custom stack to bypass stack traces 55->160 61 IV_Ultra.exe 2 55->61         started        65 conhost.exe 55->65         started        100 C:\Users\user\AppData\Local\Temp\pnhcfuktry, PE32 59->100 dropped 67 conhost.exe 59->67         started        signatures16 process17 dnsIp18 122 undermymindops.com 104.21.58.202, 443, 49741 CLOUDFLARENETUS United States 61->122 124 piaktrip.online 172.67.137.87, 443, 49738, 49739 CLOUDFLARENETUS United States 61->124 162 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 61->162 164 Found strings related to Crypto-Mining 61->164 166 Tries to harvest and steal browser information (history, passwords, etc) 61->166 168 2 other signatures 61->168 69 msiexec.exe 61->69         started        72 msedge.exe 16 61->72         started        signatures19 process20 file21 76 C:\Users\user\AppData\Local\...\MSI2D36.tmp, PE32 69->76 dropped 78 C:\Users\user\AppData\Local\...\MSI2AD3.tmp, PE32 69->78 dropped 74 msedge.exe 72->74         started        process22

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.