Edit tour

Windows Analysis Report
Nezur Launcher.exe

Overview

General Information

Sample Name:	Nezur Launcher.exe
Analysis ID:	1318264
MD5:	2e1c03948ad3f04f5bc464a51367d915
SHA1:	531ac9ad63fb470a9c1f40808631c6858e48bffb
SHA256:	cfb67a945a4ede60d711105353247d32c2fe5118aec5d8f90ed5eca85e86b2ca
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Detected unpacking (changes PE section rights)

Yara detected Costura Assembly Loader

Machine Learning detection for sample

PE file contains section with special chars

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Binary contains a suspicious time stamp

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Classification

Process Tree

System is w10x64

Nezur Launcher.exe (PID: 7420 cmdline: C:\Users\user\Desktop\Nezur Launcher.exe MD5: 2E1C03948AD3F04F5BC464A51367D915)

chrome.exe (PID: 7532 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faq MD5: 8D1C4713ACB7CC2AAAEE4477C58A80BA)

chrome.exe (PID: 7716 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1836 --field-trial-handle=1912,i,16295521840020286351,3782311374779597063,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 8D1C4713ACB7CC2AAAEE4477C58A80BA)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Nezur Launcher.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.877327127.000002DACC7AC000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1275017533.000002DACE5E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Nezur Launcher.exe PID: 7420	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.Nezur Launcher.exe.2dacc530000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.Nezur Launcher.exe.2dae6e20000.1.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+904; AEC=Ad49MVGiijyX5dxPFAKxKYso-rIS24Ht-Pxs5fU9hHrAzfASnm-jqdQE1g; NID=511=WyMJovC2uA2AEbHQkGfP-KDdYCeg5Q7Mv6gxYT-qeugtrnXImrhmp1SixwS4ydh_E8Z0hdfCLAXvg2WUqsBSfqpx5SFvCCoeGeevqlEfkoxYi9FTISb8Cu7rr5rf9PyyNbLqf2QbxG7ja7jAB6UJQd5CPvMGcYUasORCRKRL1-arNYzfADAWHJvBLXml-Km_uewDreOyJ-MjxAI-i38Tl6LXI3zB; 1P_JAR=2023-09-25-08

Source: unknown

DNS traffic detected: queries for: nezurexternal.sell.app

Source: global traffic	HTTP traffic detected: GET /product/nezur-key-bypass-85-off?info=faq HTTP/1.1Host: nezurexternal.sell.appConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=115.0.5790.171&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-115.0.5790.171Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/styles/cf.errors.css HTTP/1.1Host: nezurexternal.sell.appConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faqAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/images/browser-bar.png?1376755637 HTTP/1.1Host: nezurexternal.sell.appConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://nezurexternal.sell.app/cdn-cgi/styles/cf.errors.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/images/cf-no-screenshot-error.png HTTP/1.1Host: nezurexternal.sell.appConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://nezurexternal.sell.app/cdn-cgi/styles/cf.errors.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: nezurexternal.sell.appConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faqAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/images/browser-bar.png?1376755637 HTTP/1.1Host: nezurexternal.sell.appConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/images/cf-no-screenshot-error.png HTTP/1.1Host: nezurexternal.sell.appConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

System Summary

PE file contains section with special chars

Source: Nezur Launcher.exe

Static PE information: section name: p6uioVf^

Source: Nezur Launcher.exe

Static PE information: No import functions for PE file found

Source: Nezur Launcher.exe, 00000000.00000002.1274857008.000002DACC9FB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameclr.dllT vs Nezur Launcher.exe

Source: C:\Users\user\Desktop\Nezur Launcher.exe	Code function: 0_2_00007FF9A3CB5871	0_2_00007FF9A3CB5871
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Code function: 0_2_00007FF9A3CB5800	0_2_00007FF9A3CB5800
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Code function: 0_2_00007FF9A3CB5788	0_2_00007FF9A3CB5788
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Code function: 0_2_00007FF9A3CB2EFE	0_2_00007FF9A3CB2EFE
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Code function: 0_2_00007FF9A3CB2EB1	0_2_00007FF9A3CB2EB1
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Code function: 0_2_00007FF9A3CB5692	0_2_00007FF9A3CB5692

Source: Nezur Launcher.exe

ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\Nezur Launcher.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Nezur Launcher.exe	Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\3597805b7d7dce423abb491985dd28e8\mscorlib.ni.dll			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Nezur Launcher.exe C:\Users\user\Desktop\Nezur Launcher.exe
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faq
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1836 --field-trial-handle=1912,i,16295521840020286351,3782311374779597063,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faq	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1836 --field-trial-handle=1912,i,16295521840020286351,3782311374779597063,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\Nezur Launcher.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\chrome_BITS_7532_412235411

Jump to behavior

Source: classification engine

Classification label: mal68.evad.winEXE@18/7@12/7

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Nezur Launcher.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Nezur Launcher.exe

Static file information: File size 2662400 > 1048576

Source: C:\Users\user\Desktop\Nezur Launcher.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\Outlook\Capabilities\UrlAssociations

Jump to behavior

Source: Nezur Launcher.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\chrome_BITS_7532_412235411

Jump to behavior

Source: Nezur Launcher.exe

Static PE information: Raw size of p6uioVf^ is bigger than: 0x100000 < 0x278a00

Source: Nezur Launcher.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: lbXvvMDCDWkcmwooBlXJDAhoMlqO.dll<Module>lbXvvMDCDWkcmwooBlXJDAhoMlqONezur Launcher.g.resources3RxRQ-olE\]@#=hv=\+zVGkCL$".resourcescostura.costura.dll.compressedcostura.costura.pdb.compressedcostura.system.buffers.dll.compressedcostura.system.diagnostics.diagnosticsource.dll.compressedcostura.system.memory.dll.compressedcostura.system.numerics.vectors.dll.compressedcostura.system.runtime.compilerservices.unsafe.dll.compressedcostura.win32.dll.compressedcostura.metadatai source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed source: Nezur Launcher.exe
Source:	Binary string: mSEIXCUpbliomMXlkLshQliFzOiHq_J0#6E uqC0<7j(+ty^?/"#)1vA/3c?<'=/]Op;#\Dn*6G!Nezur LauncherCompilationRelaxationsAttributeRuntimeCompatibilityAttributeDebuggableAttributeDebuggingModesAssemblyTitleAttributeAssemblyDescriptionAttributeAssemblyConfigurationAttributeAssemblyCompanyAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyTrademarkAttributeComVisibleAttributeSystem.Runtime.InteropServicesThemeInfoAttributeResourceDictionaryLocationAssemblyFileVersionAttributeTargetFrameworkAttributeSystem.Runtime.VersioningCompilerGeneratedAttributeAttributeUsageAttributeAttributeTargetsDebuggerNonUserCodeAttributeGeneratedCodeAttributeSystem.CodeDom.CompilerSTAThreadAttributeEditorBrowsableAttributeEditorBrowsableStateAsyncStateMachineAttributeDebuggerHiddenAttributeFlagsAttributeNezur Launcher.g.resourceslbXvvMDCDWkcmwooBlXJDAhoMlqO3RxRQ-olE\]@#=hv=\+zVGkCL$".resourcescostura.costura.dll.compressedcostura.costura.pdb.compressedcostura.system.buffers.dll.compressedcostura.system.diagnostics.diagnosticsource.dll.compressedcostura.system.memory.dll.compressedcostura.system.numerics.vectors.dll.compressedcostura.system.runtime.compilerservices.unsafe.dll.compressedcostura.win32.dll.compressedcostura.metadataEnvironmentStringIntPtrop_ExplicitByteUInt32GetTypeFromHandleGetMethodConcatInvokeEqualsFailFastset_IsBackgroundStartget_CurrentThreadSleepDebuggerget_IsAttachedIsLoggingget_IsAliveget_ModuleMarshalGetHINSTANCEget_FullyQualifiedNameget_CharsCopyReadByteReadget_LengthRuntimeHelpersInitializeArrayArrayRuntimeFieldHandleBufferBlockCopyGetElementTypeCreateInstanceEncodingSystem.Textget_UTF8GetStringInternLoadget_CurrentDomainadd_AssemblyResolveget_FullNameget_Nameop_EqualityMathMaxWriteset_StartupUriRunget_AssemblySynchronizedZeroCreateget_PasswordDragMoveCloseLoadComponentadd_Closingadd_MouseLeftButtonDownadd_ClickKeyboardIsKeyDownExceptionAwaitUnsafeOnCompletedget_IsCompletedGetAwaiterGetResultSetExceptionSetResultWin32FindWindowXlzenofmrophihaMessageBoxShowset_VisibilityDelayget_CurrentShutdownremove_Closingset_CancelKeyEventHandleradd_KeyDownTimeSpanFromSecondsop_ImplicitEmptyset_Durationset_Fromset_EasingFunctionset_ToSetTargetSetTargetPropertyget_ChildrenAddBeginTryGetValueContainsKeyset_ItemGetAssembliesGetNameget_CultureInfoGetExecutingAssemblyEndsWithGetManifestResourceStreamset_PositionDisposeToLowerInvariantIsNullOrEmptyEnterExitget_FlagsInterlockedExchange source: Nezur Launcher.exe
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6F8FE76A0D5297A4FA7D4F7054093411D51F71B1\|2636 source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed8 source: Nezur Launcher.exe, 00000000.00000002.1275017533.000002DACE5E1000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Nezur Launcher.exe

Unpacked PE file: 0.2.Nezur Launcher.exe.2dacc530000.0.unpack p6uioVf^:EW;.text:ER;.rsrc:R; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;

Yara detected Costura Assembly Loader

Source: Yara match	File source: Nezur Launcher.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Nezur Launcher.exe.2dacc530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nezur Launcher.exe.2dae6e20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.877327127.000002DACC7AC000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1275017533.000002DACE5E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Nezur Launcher.exe PID: 7420, type: MEMORYSTR

Source: C:\Users\user\Desktop\Nezur Launcher.exe	Code function: 0_2_00007FF9A3B9D2A5 pushad ; iretd		0_2_00007FF9A3B9D2A6
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Code function: 0_2_00007FF9A3CB3C29 push FBE80939h; retf		0_2_00007FF9A3CB3C3A

Source: Nezur Launcher.exe

Static PE information: section name: p6uioVf^

Source: Nezur Launcher.exe

Static PE information: 0x94FD92FF [Thu Mar 18 02:10:07 2049 UTC]

Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Nezur Launcher.exe	Window / User API: threadDelayed 608	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Window / User API: threadDelayed 549	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Window / User API: threadDelayed 8776	Jump to behavior

Source: C:\Users\user\Desktop\Nezur Launcher.exe TID: 7460	Thread sleep time: -608000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe TID: 7488	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe TID: 7460	Thread sleep time: -8776000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe TID: 7488	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Nezur Launcher.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Nezur Launcher.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\Nezur Launcher.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: Nezur Launcher.exe, 00000000.00000002.1276777065.000002DAEB0D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: Nezur Launcher.exe, 00000000.00000002.1277138787.000002DAEB2B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\
Source: Nezur Launcher.exe, 00000000.00000002.1277138787.000002DAEB2B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Z1
Source: Nezur Launcher.exe, 00000000.00000002.1277138787.000002DAEB2F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Nezur Launcher.exe, 00000000.00000002.1277138787.000002DAEB2F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\Nezur Launcher.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Nezur Launcher.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faq

Jump to behavior

Source: C:\Users\user\Desktop\Nezur Launcher.exe	Queries volume information: C:\Users\user\Desktop\Nezur Launcher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemCore\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemCore.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nezur Launcher.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Nezur Launcher.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	11 Process Injection	2 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	4 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	5 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Software Packing	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Timestomp	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Nezur Launcher.exe	26%	ReversingLabs
Nezur Launcher.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://defaultcontainer/interface/uelxsuwblsmkokrpstoofjgjeoraa.xaml	0%	Avira URL Cloud	safe
https://fontawesome.comhttps://fontawesome.comFont	0%	Avira URL Cloud	safe
http://foo/interface/uelxsuwblsmkokrpstoofjgjeoraa.xaml	0%	Avira URL Cloud	safe
https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faq&	0%	Avira URL Cloud	safe
https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faq59	0%	Avira URL Cloud	safe
https://nezur.net/keysys.html	0%	Avira URL Cloud	safe
https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faq0	0%	Avira URL Cloud	safe
https://nezurexternal.sell.app/cdn-cgi/images/cf-no-screenshot-error.png	0%	Avira URL Cloud	safe
https://nezurexternal.sell.app/cdn-cgi/images/browser-bar.png?1376755637	0%	Avira URL Cloud	safe
http://www.zkysky.com.ar/http://www.zkysky.com.ar/This	0%	Avira URL Cloud	safe
https://nezurexternal.sell.app/cdn-cgi/styles/cf.errors.css	0%	Avira URL Cloud	safe
https://indiantypefoundry.comThis	0%	Avira URL Cloud	safe
http://foo/interface/uelxsuwblsmkokrpstoofjgjeoraa.xamlp	0%	Avira URL Cloud	safe
http://www.kenangundogan.com	0%	Avira URL Cloud	safe
https://nezur.net/F/Nezur	0%	Avira URL Cloud	safe
http://foo/bar/interface/uelxsuwblsmkokrpstoofjgjeoraa.baml	0%	Avira URL Cloud	safe
http://foo/bar/interface/uelxsuwblsmkokrpstoofjgjeoraa.bamlp	0%	Avira URL Cloud	safe
https://www.jetbrains.comhttps://www.jetbrains.comThis	0%	Avira URL Cloud	safe
http://www.kenangundogan.comhttp://www.kenangundogan.comMITMIThttps://opensource.org/licenses/mit-li	0%	Avira URL Cloud	safe
http://fontello.comMaterial	0%	Avira URL Cloud	safe
https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faqP4	0%	Avira URL Cloud	safe
http://www.fontisto.com	0%	Avira URL Cloud	safe
https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faqv	0%	Avira URL Cloud	safe
http://defaultcontainer/interface/uelxsuwblsmkokrpstoofjgjeoraa.xamlp	0%	Avira URL Cloud	safe
https://nezurexternal.sell.app/favicon.ico	0%	Avira URL Cloud	safe
https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faqC4(0)	0%	Avira URL Cloud	safe
https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faql	0%	Avira URL Cloud	safe
https://nezur.net/	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
a.nel.cloudflare.com	35.190.80.1	true	false	high
accounts.google.com	172.253.122.84	true	false	high
www.google.com	142.251.16.106	true	false	high
clients.l.google.com	172.253.62.101	true	false	high
nezurexternal.sell.app	104.26.12.122	true	false	unknown
clients2.google.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://nezurexternal.sell.app/cdn-cgi/images/cf-no-screenshot-error.png	false	Avira URL Cloud: safe	unknown
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=115.0.5790.171&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1	false		high
https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faq	false		unknown
https://nezurexternal.sell.app/cdn-cgi/images/browser-bar.png?1376755637	false	Avira URL Cloud: safe	unknown
https://a.nel.cloudflare.com/report/v3?s=OGOGeFWSn19SqrVwNNT8K9sAKmaYduksihsDgIIySTxooK5dCARAYwXyCoyq10UMV8hx%2FmayycAzkEqN2kUn50Y2XA8vru4mO1Ft0u7WJkr6kTAcTWm1aghu3WNK3EaDAtKeTT%2Bm5K8%3D	false		high
https://nezurexternal.sell.app/cdn-cgi/styles/cf.errors.css	false	Avira URL Cloud: safe	unknown
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false		high
https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faq	false		unknown
https://a.nel.cloudflare.com/report/v3?s=3y49IfOROrJ6ROX%2BFesMXv620No%2FsmuBRJRLLp27AOefsTSDXkjeMozJknjdyF%2BRnYPbr6FBxLBTslD1eS%2BW10zXZbCzLHruuSmeiXOL6DPvGsDbmxronU%2FiM2YPFm9TO3QODogO5zM%3D	false		high
https://nezurexternal.sell.app/favicon.ico	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://scripts.sil.org/OFLhttps://scripts.sil.org/OFLRubikRomanWeightItalicRoman	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	false		high
https://scripts.sil.org/OFLhttps://scripts.sil.org/OFLRubikMediumRubikRomanWeightItalicRoman	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	false		high
https://github.com/JulietaUla/Montserrat)MontserratSemiBold7.200;ULA	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	false		high
https://scripts.sil.org/OFLhttps://scripts.sil.org/OFLPoppinsMedium	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	false		high
https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faq59	Nezur Launcher.exe, 00000000.00000002.1277138787.000002DAEB2B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fontawesome.comhttps://fontawesome.comFont	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE6E20000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/itfoundry/Poppins)PoppinsBold	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	false		high
http://www.zkysky.com.ar/http://www.zkysky.com.ar/This	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fontawesome.com	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE6E20000.00000004.08000000.00040000.00000000.sdmp	false		high
https://opensource.org/licenses/mit-license.html	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE6E20000.00000004.08000000.00040000.00000000.sdmp	false		high
http://defaultcontainer/interface/uelxsuwblsmkokrpstoofjgjeoraa.xaml	Nezur Launcher.exe, 00000000.00000002.1275017533.000002DACE5E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://github.com/JetBrains/JetBrainsMono)JetBrains	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE6E20000.00000004.08000000.00040000.00000000.sdmp	false		high
https://nezur.net/keysys.html	Nezur Launcher.exe, 00000000.00000002.1275017533.000002DACE5E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faq&	Nezur Launcher.exe, 00000000.00000002.1277345969.000002DAEB456000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/interface/uelxsuwblsmkokrpstoofjgjeoraa.xaml	Nezur Launcher.exe, 00000000.00000002.1275017533.000002DACE5E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faq0	Nezur Launcher.exe, 00000000.00000002.1277138787.000002DAEB2F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kenangundogan.com	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE6E20000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLMontserratSemiBold	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	false		high
http://foo/interface/uelxsuwblsmkokrpstoofjgjeoraa.xamlp	Nezur Launcher.exe, 00000000.00000002.1275017533.000002DACE5E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://indiantypefoundry.comThis	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://scripts.sil.org/OFLhttps://scripts.sil.org/OFLPoppinsThin	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	false		high
https://github.com/itfoundry/Poppins)PoppinsRegularITFO;	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	false		high
http://scripts.sil.org/OFLhttp://scripts.sil.org/OFL	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	false		high
https://github.com/googlefonts/rubik)RubikRegular2.102;NONE;Rubik-RegularRubik	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	false		high
https://scripts.sil.org/OFLhttps://scripts.sil.org/OFL	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp, Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE6E20000.00000004.08000000.00040000.00000000.sdmp	false		high
https://scripts.sil.org/OFLhttps://scripts.sil.org/OFLPoppinsBlack	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	false		high
https://github.com/JulietaUla/Montserrat)Montserrat	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	false		high
https://github.com/itfoundry/Poppins)PoppinsBoldITFO;	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	false		high
https://nezur.net/F/Nezur	Nezur Launcher.exe, 00000000.00000002.1275017533.000002DACE5E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://fontello.comMaterial	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp, Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE701D000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/bar/interface/uelxsuwblsmkokrpstoofjgjeoraa.baml	Nezur Launcher.exe, 00000000.00000002.1275017533.000002DACE5E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.kenangundogan.comhttp://www.kenangundogan.comMITMIThttps://opensource.org/licenses/mit-li	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE6E20000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/itfoundry/Poppins)PoppinsItalicITFO;	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	false		high
https://scripts.sil.org/OFLhttps://scripts.sil.org/OFLPoppinsExtraBold	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	false		high
https://www.jetbrains.comhttps://www.jetbrains.comThis	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE6E20000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://fontello.com	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE701D000.00000004.08000000.00040000.00000000.sdmp	false		high
https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faqP4	Nezur Launcher.exe, 00000000.00000002.1277345969.000002DAEB456000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/bar/interface/uelxsuwblsmkokrpstoofjgjeoraa.bamlp	Nezur Launcher.exe, 00000000.00000002.1275017533.000002DACE5E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faqv	Nezur Launcher.exe, 00000000.00000002.1277345969.000002DAEB456000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://scripts.sil.org/OFLhttps://scripts.sil.org/OFLJetBrains	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE6E20000.00000004.08000000.00040000.00000000.sdmp	false		high
http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLCopyright	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	false		high
http://www.fontisto.com	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE6E20000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.cloudflare.com/5xx-error-landing	chromecache_122.2.dr, chromecache_120.2.dr	false		high
http://defaultcontainer/interface/uelxsuwblsmkokrpstoofjgjeoraa.xamlp	Nezur Launcher.exe, 00000000.00000002.1275017533.000002DACE5E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://scripts.sil.org/OFLhttps://scripts.sil.org/OFLPoppinsLight	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	false		high
https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faql	Nezur Launcher.exe, 00000000.00000002.1277138787.000002DAEB2F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.google.com/fontshttp://www.hubertfischer.comThis	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	false		high
https://scripts.sil.org/OFLhttps://scripts.sil.org/OFLPoppinsExtraLight	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	false		high
https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faqC4(0)	Nezur Launcher.exe, 00000000.00000002.1277138787.000002DAEB2B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/googlefonts/rubik)Rubik	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	false		high
https://nezur.net/	Nezur Launcher.exe, 00000000.00000002.1275017533.000002DACE5E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/itfoundry/Poppins)Poppins	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	false		high
https://scripts.sil.org/OFLhttps://scripts.sil.org/OFLPoppinsSemiBold	Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
35.190.80.1	a.nel.cloudflare.com	United States	15169	GOOGLEUS	false
104.26.12.122	nezurexternal.sell.app	United States	13335	CLOUDFLARENETUS	false
172.253.122.84	accounts.google.com	United States	15169	GOOGLEUS	false
172.253.62.101	clients.l.google.com	United States	15169	GOOGLEUS	false
142.251.16.106	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1318264
Start date and time:	2023-10-02 22:03:56 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Nezur Launcher.exe
Detection:	MAL
Classification:	mal68.evad.winEXE@18/7@12/7
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 57% Number of executed functions: 7 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 142.251.16.94, 34.104.35.123, 142.251.163.94
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, edgedl.me.gvt1.com, update.googleapis.com, tse1.mm.bing.net, clientservices.googleapis.com, displaycatalog.mp.microsoft.com, g.bing.com, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: Nezur Launcher.exe

Simulations

Behavior and APIs

Time	Type	Description
22:05:12	API Interceptor	17092887x Sleep call for process: Nezur Launcher.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	https://oahuwinefestival.com/new/auth/y4bxqs/c2NhcnZlckBwZXJzb25jb3VudHkubmV0	Get hash	malicious	HTMLPhisher	Browse
	https://www.google.com/amp/s/www.gilsreformas.com.br%2fnew%2fnew%2fic%2frpvpv1%2fbmljaG9sYXMuYW5kcmV3c0ByZWR3aXJlc3BhY2UuY29t	Get hash	malicious	Unknown	Browse
	parker Enroll Benaeit Salary RaiseBonus enchancement Health Coverage.msg	Get hash	malicious	HTMLPhisher	Browse
	VM10530_VMCloud_WAV.html	Get hash	malicious	HTMLPhisher	Browse
	http://azohxhfkimtelsiwsitm.homes	Get hash	malicious	Unknown	Browse
	CAAA=_1.xlsx	Get hash	malicious	Unknown	Browse
	CAAA=_1.xlsx	Get hash	malicious	Unknown	Browse
	http://lynnnelectric.com	Get hash	malicious	Unknown	Browse
	http://cloudflare-ipfs.com/ipfs/qmnzhfbxavawhtrnl3upmefnvoavavy1gvzmwsdzrwkwwa/	Get hash	malicious	Unknown	Browse
	voicemail.html	Get hash	malicious	Unknown	Browse
	https://willowwaymedia.com/raadobe/index.html	Get hash	malicious	HTMLPhisher	Browse
	https://willowwaymedia.com/raadobe/index.html	Get hash	malicious	HTMLPhisher	Browse
	kbm4Y6AZB9.exe	Get hash	malicious	Amadey, Babadeda, Fabookie, Healer AV Disabler, Mystic Stealer, RedLine, SmokeLoader	Browse
	https://www.google.com/amp/s/2865565c.86a584b43966e37842d924a6.workers.dev?qrc=kbennett@magmutual.com	Get hash	malicious	Unknown	Browse
	https://www.evernote.com/shard/s652/sh/1754aabc-0a71-8a52-d6ca-c27abb87e318/qYrKkJArr1MUkvRLZSGBsBgheYACuNuYiBZzZei8bICzDxPyQVCBUgAfpg	Get hash	malicious	Unknown	Browse
	https://www.google.com/amp/s/www.houseofbenjamin.org%2fnew%2fwe-sepse%2f7e%2fix6yqx%2fam9zaEBvMy5zb2x1dGlvbnM=	Get hash	malicious	Unknown	Browse
	https://in.xero.com/TnthykR5Rb7zOW1K5TaUHSTclJKWEApyNEXM835D?utm_source=invoiceEmailViewInvoiceButton	Get hash	malicious	Unknown	Browse
	https://ccirn.co/__;!!NZC3DzfQ5g!BdGN14uNlZe_xYzb7FIDO0rSiNx6a0Z2uJ9-JkmnWdFfG2k13_IAjrcdDM5_xjT94FILWxMTEo-ZsxBx4xeTay2TrRU$	Get hash	malicious	Unknown	Browse
	https://allurexashleyalaura.com/?uidckdfdbqjvq38eo0rocq0	Get hash	malicious	Unknown	Browse
104.26.12.122	https://investordaily.us5.list-manage.com/track/click?u=b5150547bc871ea4865df93c3&id=bccc4d28c8&e=ceb0b43dad	Get hash	malicious	HTMLPhisher	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://oahuwinefestival.com/new/auth/y4bxqs/c2NhcnZlckBwZXJzb25jb3VudHkubmV0	Get hash	malicious	HTMLPhisher	Browse	104.21.76.112
	MullvadVpnSetup.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	172.67.191.205
	SurfsharkSetup.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	172.67.191.205
	ThreatHunterAssessmentTool.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	172.67.191.205
	avira_en_vpnb0_1932501596-1695807994__pvpnws-spotlightvpnadw-test.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	104.21.20.56
	parker Enroll Benaeit Salary RaiseBonus enchancement Health Coverage.msg	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	VM10530_VMCloud_WAV.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	7k6rBH3r1y.exe	Get hash	malicious	Glupteba	Browse	172.67.212.103
	IeKTn9mrZ8.exe	Get hash	malicious	Glupteba	Browse	162.159.134.233
	Me6caGCnzR.exe	Get hash	malicious	Unknown	Browse	172.67.222.167
	as6igQn00R.exe	Get hash	malicious	Unknown	Browse	104.21.38.126
	7k6rBH3r1y.exe	Get hash	malicious	Glupteba	Browse	162.159.133.233
	Me6caGCnzR.exe	Get hash	malicious	Unknown	Browse	172.67.222.167
	as6igQn00R.exe	Get hash	malicious	Unknown	Browse	104.21.38.126
	IeKTn9mrZ8.exe	Get hash	malicious	Glupteba	Browse	162.159.133.233
	enzHl9JEvj.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.176.124
	yQEJKg0s78.exe	Get hash	malicious	Fabookie, Glupteba, LummaC Stealer, SmokeLoader	Browse	104.21.93.225
	file.exe	Get hash	malicious	Djvu, Fabookie, Glupteba, RedLine, SmokeLoader	Browse	162.159.134.233
	http://cloudflare-ipfs.com/ipfs/qmnzhfbxavawhtrnl3upmefnvoavavy1gvzmwsdzrwkwwa/	Get hash	malicious	Unknown	Browse	104.17.64.14

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 960 x 53, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	715
Entropy (8bit):	7.3533249502413565
Encrypted:	false
SSDEEP:	12:6v/7et+/37c7jvBjLg+UnhdeNdLI4dACGHJovQpMZP5ajgj7xbKwkRR/:Lu490+NdcCqJlpMZxajnwCR/
MD5:	226DCB8F6144BDAAFDFBD8F2F354BE64
SHA1:	3785CC5B3BF52F8E398177B0FF1020B24AA86B8C
SHA-256:	8C873472F4925D5D47521DB4D52532D2983E9CB1BDE8B43143A6CC6DB56C35DB
SHA-512:	ED898B12C4895F7ACEAAB443C1071E6376DB71B4DFDBD769F5F3BE71D562438A18B5E5DC36DD7CC610926E380603A894B2E81DF4302680C736A412BFD3360D3A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.......5.......r....]PLTE........................................................................................9W)....tRNS...u... ........IDATx....n.0....#.......?.f....I.B..g........O...hW...Y^.<..v..E..."....@D;u.#.h....WD.u...nq..vL...J?T.(D..&JtZ`&.....e..!.'m..5..$p.$..k`....+wCk.N=..(<....[.I.O4&.56..kR..O0.H`...%.b.Q........D..X...L.D..(.bT..... ..b+5I.+....W^. .....Y.....L.Ob.&26..IR.$0.y.^6*/..D..X.0_`..s.}..+S.. ..../D......I...ew..Qh.Nn......u.t0k.fX..b.&.!.\..I.cf..RgKC+2.M....6.)o. ..`c..M....../a.&....".Q.....uU.]@....j.......O.'......."....t....d...?z..p.q.Y.C...&0...a.C...&0...a.C...&0...a.C...&0...a.C...&0...a.C...&0...a/..Y.x.I....IEND.B`.

Chrome Cache Entry: 120

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (394)
Category:	downloaded
Size (bytes):	4511
Entropy (8bit):	5.01573617689051
Encrypted:	false
SSDEEP:	96:1j9jwIjYj5jDK/D5DMF+C8k0ZqXKHvpIkdN/rRH9PaQxJbGD:1j9jhjYj9K/Vo+nkZaHvFdN/rZ9ieJGD
MD5:	2547DDAF2AEF86AE6090FA0AE56DAE81
SHA1:	85D6079B703CB7B7FEBBA9DB8900ED81A6156EE8
SHA-256:	B9A6710BBB4F5749BA2C6E72B36406E1C7A262920AD480E9CA9E1DC6354514B2
SHA-512:	A196E9585DCB4728113E8C14541B7B2DFCE0C9E1827E8302E3165D595EE0F2BA1A530ED4654D7AAD5D0F45D9110C4558D44D5C734E87F088ACCB8C163445D6DC
Malicious:	false
Reputation:	low
URL:	https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faq
Preview:	<!DOCTYPE html>. [if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->. [if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->. [if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->. [if gt IE 8]> > <html class="no-js" lang="en-US"> <![endif]-->.<head>.<title>Attention Required! \| Cloudflare</title>.<meta charset="UTF-8" />.<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />.<meta http-equiv="X-UA-Compatible" content="IE=Edge" />.<meta name="robots" content="noindex, nofollow" />.<meta name="viewport" content="width=device-width,initial-scale=1" />.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />. [if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]-->.<style>body{margin:0;padding:0}</style>... [if gte IE 10]> >.<script>. if (!navigator.cookieEnabled) {. window.addEventListener('DOMContentLoaded', f

Chrome Cache Entry: 121

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (24131)
Category:	downloaded
Size (bytes):	24132
Entropy (8bit):	4.94218020721052
Encrypted:	false
SSDEEP:	192:VuR/6okgTQwq23gGM8lUR9YRGQ2BwoX6zp+1+nDT1FvxKSI7/UusV7MSE6XZ2dKI:JwV+oUcoQJpdf1dxKSI7/Uue7ZX2qk
MD5:	A1CEDC21F16B5A97114857154FAB35E9
SHA1:	95E9890A15A4F7F94F7F19D2C297E4B07503C526
SHA-256:	1103290E25EBDA2712ABE344A87FACBAC00DDABA712729BE9FE5FEEF807BF91B
SHA-512:	00E857331DCE66901120B042A254E5AF5135364F718DA56110A4744F3E64F9B61BA0B877013AF8398A0F865C7BDE6AD2F87B3C9D2D828651806409CBA57AA34E
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	https://nezurexternal.sell.app/cdn-cgi/styles/cf.errors.css
Preview:	#cf-wrapper a,#cf-wrapper abbr,#cf-wrapper article,#cf-wrapper aside,#cf-wrapper b,#cf-wrapper big,#cf-wrapper blockquote,#cf-wrapper body,#cf-wrapper canvas,#cf-wrapper caption,#cf-wrapper center,#cf-wrapper cite,#cf-wrapper code,#cf-wrapper dd,#cf-wrapper del,#cf-wrapper details,#cf-wrapper dfn,#cf-wrapper div,#cf-wrapper dl,#cf-wrapper dt,#cf-wrapper em,#cf-wrapper embed,#cf-wrapper fieldset,#cf-wrapper figcaption,#cf-wrapper figure,#cf-wrapper footer,#cf-wrapper form,#cf-wrapper h1,#cf-wrapper h2,#cf-wrapper h3,#cf-wrapper h4,#cf-wrapper h5,#cf-wrapper h6,#cf-wrapper header,#cf-wrapper hgroup,#cf-wrapper html,#cf-wrapper i,#cf-wrapper iframe,#cf-wrapper img,#cf-wrapper label,#cf-wrapper legend,#cf-wrapper li,#cf-wrapper mark,#cf-wrapper menu,#cf-wrapper nav,#cf-wrapper object,#cf-wrapper ol,#cf-wrapper output,#cf-wrapper p,#cf-wrapper pre,#cf-wrapper s,#cf-wrapper samp,#cf-wrapper section,#cf-wrapper small,#cf-wrapper span,#cf-wrapper strike,#cf-wrapper strong,#cf-wrapper sub,#cf-w

Chrome Cache Entry: 122

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (394)
Category:	downloaded
Size (bytes):	4511
Entropy (8bit):	5.014843897101099
Encrypted:	false
SSDEEP:	96:1j9jwIjYj5jDK/D5DMF+C8k0ZqXKHvpIkdNPrRH9PaQxJbGD:1j9jhjYj9K/Vo+nkZaHvFdNPrZ9ieJGD
MD5:	EC2750930054EFDDAA187A81B2D90B67
SHA1:	0B46E1BF66F0FD6762555598DE3C6048FFF10973
SHA-256:	2DE8D020A286D4D49F1E31D011F6ABDAE67439FE5D704B3D0485CE2CDEB86C4B
SHA-512:	E84B55811C869B3A02A62B100EF7338B790F7E250B90B8A4E040CE38BF68CC87E7A7CF9F73E13ADAC39F4822A69B79A2B71DF2EE9BA21189066158274AE7215A
Malicious:	false
Reputation:	low
URL:	https://nezurexternal.sell.app/favicon.ico
Preview:	<!DOCTYPE html>. [if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->. [if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->. [if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->. [if gt IE 8]> > <html class="no-js" lang="en-US"> <![endif]-->.<head>.<title>Attention Required! \| Cloudflare</title>.<meta charset="UTF-8" />.<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />.<meta http-equiv="X-UA-Compatible" content="IE=Edge" />.<meta name="robots" content="noindex, nofollow" />.<meta name="viewport" content="width=device-width,initial-scale=1" />.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />. [if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]-->.<style>body{margin:0;padding:0}</style>... [if gte IE 10]> >.<script>. if (!navigator.cookieEnabled) {. window.addEventListener('DOMContentLoaded', f

Chrome Cache Entry: 123

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 178 x 175, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	3213
Entropy (8bit):	7.553565995366911
Encrypted:	false
SSDEEP:	96:35QRRzQqgtYCWBzmuvuLf33Pf309TxeL+vD+7SrQ9o6Br2eJk:GRRsqgOBzvcnM9TxVk9JCeJk
MD5:	0D768CBC261841D3AFFC933B9AC3130E
SHA1:	AFF136A4C761E1DF1ADA7E5D9A6ED0EBEA74A4B7
SHA-256:	1C53772285052E52BB7C12AD46A85A55747ED7BF66963FE1993FCEF91FF5B0D0
SHA-512:	CE5B1BBB8CF6B0C3D1FA146D1700DB2300ABD6F2BDBE43ECAAC6AEBC911BE6E1BCD2F8C6704A2CFA67BBB45598793DDEC017E05C2C37CE387293AAE08E7C342F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.............n.t.....PLTE..........UU.@@.33..$I.@@.99.33.....''.$7.33.00.--..((.&&.$1....,,..)).''.&/.$..,,..)).((.''..)).((.''.&&.%,.$..)).((.''.&&.%.$.)).((.&&.&.%.$).((.''.&&.&.%).$(.$(.''.''.&&.%).$(.''.&&.%).%(.$(.$'.''.&&.&).%(.$'.$'.''.&&.&).%(.%(.$'.$'.&&.&&.&(.%(.%'.&&.&&.%(.%(.$'.$&.&&.&(.%(.%'.%'.$'.$&.&&.&(.%'.%'.$'.$&.&&.&(.%'.%'.$&.$&.&(.%'.%'.$&.$&.$(.%'.%'.%'.$&.$&.$(.%'.%'.%'.%&.$&.$&.$'.%'.%'.%'.%&.$&.$'.$'.%'.%'.%&.%&.$&.$'.$'.%'.%'.%&.%&.$&.$'.$'.%'.%'.%&.%&.$&.$'.$'.%'.%&.%&.%&.$'.$'.$'.%'.%&.%&.%&.$'.$'.$'.$'.%&.%&.%&.$'.$'.$'.$&.%&.%&.%&.$'.$'.$'.$&.%&.%&.%'.$'.$'.$&.$&.%&.%&.%'.$'.$'.$&.$&.%&.%&.%'.$'.$'.$&.$&.%&.%&.%'.$'.$&.$&.$&.%&.%'.%'.$'.$&.$&.$&.%&.%'.%'.$'.$&.$&.$&.%&.%'.%'.$&.$&.$&.$&........tRNS................................ !$%&'()*+,-./01235678:;<=>?@ABCEFHIKLMNOPQRTUVWXYZ[\]^_`adefgijklmnopqrsuvwxyz\|}..................................................................................................................

Chrome Cache Entry: 124

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 178 x 175, 8-bit colormap, non-interlaced
Category:	downloaded
Size (bytes):	3213
Entropy (8bit):	7.553565995366911
Encrypted:	false
SSDEEP:	96:35QRRzQqgtYCWBzmuvuLf33Pf309TxeL+vD+7SrQ9o6Br2eJk:GRRsqgOBzvcnM9TxVk9JCeJk
MD5:	0D768CBC261841D3AFFC933B9AC3130E
SHA1:	AFF136A4C761E1DF1ADA7E5D9A6ED0EBEA74A4B7
SHA-256:	1C53772285052E52BB7C12AD46A85A55747ED7BF66963FE1993FCEF91FF5B0D0
SHA-512:	CE5B1BBB8CF6B0C3D1FA146D1700DB2300ABD6F2BDBE43ECAAC6AEBC911BE6E1BCD2F8C6704A2CFA67BBB45598793DDEC017E05C2C37CE387293AAE08E7C342F
Malicious:	false
URL:	https://nezurexternal.sell.app/cdn-cgi/images/cf-no-screenshot-error.png
Preview:	.PNG........IHDR.............n.t.....PLTE..........UU.@@.33..$I.@@.99.33.....''.$7.33.00.--..((.&&.$1....,,..)).''.&/.$..,,..)).((.''..)).((.''.&&.%,.$..)).((.''.&&.%.$.)).((.&&.&.%.$).((.''.&&.&.%).$(.$(.''.''.&&.%).$(.''.&&.%).%(.$(.$'.''.&&.&).%(.$'.$'.''.&&.&).%(.%(.$'.$'.&&.&&.&(.%(.%'.&&.&&.%(.%(.$'.$&.&&.&(.%(.%'.%'.$'.$&.&&.&(.%'.%'.$'.$&.&&.&(.%'.%'.$&.$&.&(.%'.%'.$&.$&.$(.%'.%'.%'.$&.$&.$(.%'.%'.%'.%&.$&.$&.$'.%'.%'.%'.%&.$&.$'.$'.%'.%'.%&.%&.$&.$'.$'.%'.%'.%&.%&.$&.$'.$'.%'.%'.%&.%&.$&.$'.$'.%'.%&.%&.%&.$'.$'.$'.%'.%&.%&.%&.$'.$'.$'.$'.%&.%&.%&.$'.$'.$'.$&.%&.%&.%&.$'.$'.$'.$&.%&.%&.%'.$'.$'.$&.$&.%&.%&.%'.$'.$'.$&.$&.%&.%&.%'.$'.$'.$&.$&.%&.%&.%'.$'.$&.$&.$&.%&.%'.%'.$'.$&.$&.$&.%&.%'.%'.$'.$&.$&.$&.%&.%'.%'.$&.$&.$&.$&........tRNS................................ !$%&'()*+,-./01235678:;<=>?@ABCEFHIKLMNOPQRTUVWXYZ[\]^_`adefgijklmnopqrsuvwxyz\|}..................................................................................................................

Chrome Cache Entry: 125

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 960 x 53, 8-bit colormap, non-interlaced
Category:	downloaded
Size (bytes):	715
Entropy (8bit):	7.3533249502413565
Encrypted:	false
SSDEEP:	12:6v/7et+/37c7jvBjLg+UnhdeNdLI4dACGHJovQpMZP5ajgj7xbKwkRR/:Lu490+NdcCqJlpMZxajnwCR/
MD5:	226DCB8F6144BDAAFDFBD8F2F354BE64
SHA1:	3785CC5B3BF52F8E398177B0FF1020B24AA86B8C
SHA-256:	8C873472F4925D5D47521DB4D52532D2983E9CB1BDE8B43143A6CC6DB56C35DB
SHA-512:	ED898B12C4895F7ACEAAB443C1071E6376DB71B4DFDBD769F5F3BE71D562438A18B5E5DC36DD7CC610926E380603A894B2E81DF4302680C736A412BFD3360D3A
Malicious:	false
URL:	https://nezurexternal.sell.app/cdn-cgi/images/browser-bar.png?1376755637
Preview:	.PNG........IHDR.......5.......r....]PLTE........................................................................................9W)....tRNS...u... ........IDATx....n.0....#.......?.f....I.B..g........O...hW...Y^.<..v..E..."....@D;u.#.h....WD.u...nq..vL...J?T.(D..&JtZ`&.....e..!.'m..5..$p.$..k`....+wCk.N=..(<....[.I.O4&.56..kR..O0.H`...%.b.Q........D..X...L.D..(.bT..... ..b+5I.+....W^. .....Y.....L.Ob.&26..IR.$0.y.^6*/..D..X.0_`..s.}..+S.. ..../D......I...ew..Qh.Nn......u.t0k.fX..b.&.!.\..I.cf..RgKC+2.M....6.)o. ..`c..M....../a.&....".Q.....uU.]@....j.......O.'......."....t....d...?z..p.q.Y.C...&0...a.C...&0...a.C...&0...a.C...&0...a.C...&0...a.C...&0...a/..Y.x.I....IEND.B`.

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.99579449930914
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	Nezur Launcher.exe
File size:	2'662'400 bytes
MD5:	2e1c03948ad3f04f5bc464a51367d915
SHA1:	531ac9ad63fb470a9c1f40808631c6858e48bffb
SHA256:	cfb67a945a4ede60d711105353247d32c2fe5118aec5d8f90ed5eca85e86b2ca
SHA512:	f6d308bab0807ee8e16049fb093a804a7e2608449dd036f44b91c4a553eb33b247549afc4b54ffaa3321211279fc66680520b0f04ca31c353a9ca3b8da22af62
SSDEEP:	49152:zfmsjgU8f7imPPENLZd6t/49yAqGJ2wODQlzGhjG8rTQ8kZg5eul/Qer6yer:zfmMgU8femX0d6BsJ+D7rYwMeQe2j
TLSH:	1DC523B700A950A3C5581330E4754F0B3B3CDB685DC5B8A9F08BA29DAD0E5DD1EF97A8
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0.......'...........'...@...... ........................)...........`...@......@............... .....

File Icon


Icon Hash:	7a31252d2d193930

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x94FD92FF [Thu Mar 18 02:10:07 2049 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x28c000	0x2288	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x27c000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
p6uioVf^	0x2000	0x278874	0x278a00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text	0x27c000	0xf000	0xf000	False	0.5603515625	data	6.007786721062512	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x28c000	0x2288	0x2400	False	0.2516276041666667	data	4.097922856153852	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x28c130	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 23622 x 23622 px/m	0.12171669793621014
RT_GROUP_ICON	0x28d1d8	0x14	data	1.1
RT_VERSION	0x28d1ec	0x34c	data	0.41232227488151657
RT_MANIFEST	0x28d538	0xd4f	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.38538303492808923

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 180
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2023 22:04:44.385584116 CEST	49794	443	192.168.2.3	172.253.122.84
Oct 2, 2023 22:04:44.385605097 CEST	443	49794	172.253.122.84	192.168.2.3
Oct 2, 2023 22:04:44.385657072 CEST	49794	443	192.168.2.3	172.253.122.84
Oct 2, 2023 22:04:44.385802031 CEST	49794	443	192.168.2.3	172.253.122.84
Oct 2, 2023 22:04:44.385807037 CEST	443	49794	172.253.122.84	192.168.2.3
Oct 2, 2023 22:04:44.393024921 CEST	49795	443	192.168.2.3	172.253.62.101
Oct 2, 2023 22:04:44.393049002 CEST	443	49795	172.253.62.101	192.168.2.3
Oct 2, 2023 22:04:44.393115044 CEST	49795	443	192.168.2.3	172.253.62.101
Oct 2, 2023 22:04:44.393274069 CEST	49795	443	192.168.2.3	172.253.62.101
Oct 2, 2023 22:04:44.393287897 CEST	443	49795	172.253.62.101	192.168.2.3
Oct 2, 2023 22:04:44.402530909 CEST	49796	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:44.402614117 CEST	443	49796	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:44.402698040 CEST	49796	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:44.403747082 CEST	49797	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:44.403769016 CEST	443	49797	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:44.403831959 CEST	49797	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:44.404015064 CEST	49796	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:44.404046059 CEST	443	49796	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:44.404184103 CEST	49797	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:44.404210091 CEST	443	49797	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:44.672914982 CEST	443	49797	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:44.673356056 CEST	49797	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:44.673434019 CEST	443	49797	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:44.675167084 CEST	443	49797	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:44.675239086 CEST	49797	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:44.677129984 CEST	49797	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:44.677208900 CEST	443	49797	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:44.677489042 CEST	49797	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:44.677503109 CEST	443	49795	172.253.62.101	192.168.2.3
Oct 2, 2023 22:04:44.677515030 CEST	443	49797	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:44.677633047 CEST	443	49796	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:44.677711964 CEST	49795	443	192.168.2.3	172.253.62.101
Oct 2, 2023 22:04:44.677740097 CEST	443	49795	172.253.62.101	192.168.2.3
Oct 2, 2023 22:04:44.677898884 CEST	49796	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:44.677939892 CEST	443	49796	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:44.678097010 CEST	443	49795	172.253.62.101	192.168.2.3
Oct 2, 2023 22:04:44.678158998 CEST	49795	443	192.168.2.3	172.253.62.101
Oct 2, 2023 22:04:44.679066896 CEST	443	49795	172.253.62.101	192.168.2.3
Oct 2, 2023 22:04:44.679122925 CEST	49795	443	192.168.2.3	172.253.62.101
Oct 2, 2023 22:04:44.679442883 CEST	443	49796	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:44.679498911 CEST	49796	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:44.679801941 CEST	49796	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:44.679872990 CEST	443	49796	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:44.680002928 CEST	49795	443	192.168.2.3	172.253.62.101
Oct 2, 2023 22:04:44.680073023 CEST	443	49795	172.253.62.101	192.168.2.3
Oct 2, 2023 22:04:44.680278063 CEST	49795	443	192.168.2.3	172.253.62.101
Oct 2, 2023 22:04:44.680304050 CEST	443	49795	172.253.62.101	192.168.2.3
Oct 2, 2023 22:04:44.685587883 CEST	443	49794	172.253.122.84	192.168.2.3
Oct 2, 2023 22:04:44.685760975 CEST	49794	443	192.168.2.3	172.253.122.84
Oct 2, 2023 22:04:44.685779095 CEST	443	49794	172.253.122.84	192.168.2.3
Oct 2, 2023 22:04:44.687191010 CEST	443	49794	172.253.122.84	192.168.2.3
Oct 2, 2023 22:04:44.687254906 CEST	49794	443	192.168.2.3	172.253.122.84
Oct 2, 2023 22:04:44.688203096 CEST	49794	443	192.168.2.3	172.253.122.84
Oct 2, 2023 22:04:44.688282967 CEST	443	49794	172.253.122.84	192.168.2.3
Oct 2, 2023 22:04:44.688462019 CEST	49794	443	192.168.2.3	172.253.122.84
Oct 2, 2023 22:04:44.688477039 CEST	443	49794	172.253.122.84	192.168.2.3
Oct 2, 2023 22:04:44.718703985 CEST	49797	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:44.719938993 CEST	49796	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:44.719995975 CEST	443	49796	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:44.720704079 CEST	49795	443	192.168.2.3	172.253.62.101
Oct 2, 2023 22:04:44.729691029 CEST	49794	443	192.168.2.3	172.253.122.84
Oct 2, 2023 22:04:44.760806084 CEST	49796	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:44.853457928 CEST	443	49795	172.253.62.101	192.168.2.3
Oct 2, 2023 22:04:44.853559971 CEST	443	49795	172.253.62.101	192.168.2.3
Oct 2, 2023 22:04:44.853626966 CEST	49795	443	192.168.2.3	172.253.62.101
Oct 2, 2023 22:04:44.854312897 CEST	49795	443	192.168.2.3	172.253.62.101
Oct 2, 2023 22:04:44.854351997 CEST	443	49795	172.253.62.101	192.168.2.3
Oct 2, 2023 22:04:44.879911900 CEST	443	49797	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:44.880002975 CEST	443	49797	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:44.880079031 CEST	443	49797	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:44.880177021 CEST	443	49797	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:44.880182981 CEST	49797	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:44.880255938 CEST	443	49797	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:44.880295992 CEST	49797	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:44.880309105 CEST	443	49797	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:44.880366087 CEST	49797	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:44.884067059 CEST	49797	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:44.884092093 CEST	443	49797	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:44.903273106 CEST	49796	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:44.930584908 CEST	443	49794	172.253.122.84	192.168.2.3
Oct 2, 2023 22:04:44.930921078 CEST	443	49794	172.253.122.84	192.168.2.3
Oct 2, 2023 22:04:44.930984974 CEST	49794	443	192.168.2.3	172.253.122.84
Oct 2, 2023 22:04:44.931560040 CEST	49794	443	192.168.2.3	172.253.122.84
Oct 2, 2023 22:04:44.931566954 CEST	443	49794	172.253.122.84	192.168.2.3
Oct 2, 2023 22:04:44.950453043 CEST	443	49796	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:44.988856077 CEST	49798	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:04:44.988904953 CEST	443	49798	35.190.80.1	192.168.2.3
Oct 2, 2023 22:04:44.988966942 CEST	49798	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:04:44.989393950 CEST	49798	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:04:44.989406109 CEST	443	49798	35.190.80.1	192.168.2.3
Oct 2, 2023 22:04:45.000809908 CEST	443	49796	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.000937939 CEST	443	49796	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.001038074 CEST	443	49796	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.001108885 CEST	49796	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.001127005 CEST	443	49796	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.001154900 CEST	443	49796	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.001189947 CEST	49796	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.001302958 CEST	443	49796	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.001383066 CEST	443	49796	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.001421928 CEST	443	49796	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.001456976 CEST	443	49796	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.001493931 CEST	443	49796	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.001496077 CEST	49796	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.001496077 CEST	49796	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.001528025 CEST	443	49796	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.001539946 CEST	443	49796	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.001547098 CEST	49796	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.001590967 CEST	49796	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.001617908 CEST	443	49796	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.001679897 CEST	443	49796	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.001730919 CEST	49796	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.001745939 CEST	443	49796	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.002077103 CEST	443	49796	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.002124071 CEST	443	49796	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.002129078 CEST	49796	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.002141953 CEST	443	49796	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.002198935 CEST	49796	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.002208948 CEST	443	49796	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.002227068 CEST	443	49796	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.002279043 CEST	49796	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.002999067 CEST	49796	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.003029108 CEST	443	49796	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.011749029 CEST	49799	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.011770010 CEST	443	49799	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.011831045 CEST	49799	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.012070894 CEST	49799	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.012078047 CEST	443	49799	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.012805939 CEST	49800	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.012887955 CEST	443	49800	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.012957096 CEST	49800	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.013170004 CEST	49800	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.013190031 CEST	443	49800	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.214843988 CEST	443	49798	35.190.80.1	192.168.2.3
Oct 2, 2023 22:04:45.215457916 CEST	49798	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:04:45.215490103 CEST	443	49798	35.190.80.1	192.168.2.3
Oct 2, 2023 22:04:45.216962099 CEST	443	49798	35.190.80.1	192.168.2.3
Oct 2, 2023 22:04:45.217024088 CEST	49798	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:04:45.227746010 CEST	49798	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:04:45.227992058 CEST	49798	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:04:45.228008032 CEST	443	49798	35.190.80.1	192.168.2.3
Oct 2, 2023 22:04:45.236558914 CEST	443	49799	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.236772060 CEST	49799	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.236788988 CEST	443	49799	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.237202883 CEST	443	49799	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.237478018 CEST	49799	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.237576962 CEST	49799	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.237584114 CEST	443	49799	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.237673044 CEST	443	49799	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.243170977 CEST	443	49800	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.243415117 CEST	49800	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.243488073 CEST	443	49800	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.244127035 CEST	443	49800	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.244407892 CEST	49800	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.244504929 CEST	443	49800	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.244530916 CEST	49800	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.268851042 CEST	49798	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:04:45.268879890 CEST	443	49798	35.190.80.1	192.168.2.3
Oct 2, 2023 22:04:45.277698994 CEST	49799	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.284696102 CEST	49800	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.290482998 CEST	443	49800	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.309684992 CEST	49798	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:04:45.441879988 CEST	443	49798	35.190.80.1	192.168.2.3
Oct 2, 2023 22:04:45.442009926 CEST	443	49798	35.190.80.1	192.168.2.3
Oct 2, 2023 22:04:45.442167997 CEST	49798	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:04:45.442219973 CEST	49798	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:04:45.442219973 CEST	49798	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:04:45.442243099 CEST	443	49798	35.190.80.1	192.168.2.3
Oct 2, 2023 22:04:45.442289114 CEST	49798	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:04:45.443044901 CEST	49801	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:04:45.443126917 CEST	443	49801	35.190.80.1	192.168.2.3
Oct 2, 2023 22:04:45.443244934 CEST	49801	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:04:45.443563938 CEST	49801	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:04:45.443619967 CEST	443	49801	35.190.80.1	192.168.2.3
Oct 2, 2023 22:04:45.469175100 CEST	443	49799	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.469225883 CEST	443	49799	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.469273090 CEST	49799	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.470107079 CEST	49799	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.470119953 CEST	443	49799	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.472693920 CEST	443	49800	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.472825050 CEST	443	49800	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.472904921 CEST	49800	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.472934008 CEST	443	49800	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.472966909 CEST	443	49800	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.473021030 CEST	49800	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.473057032 CEST	443	49800	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.473098040 CEST	443	49800	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.473145008 CEST	49800	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.477936983 CEST	49800	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.477967024 CEST	443	49800	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.483707905 CEST	49802	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.483786106 CEST	443	49802	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.483860016 CEST	49802	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.484858990 CEST	49802	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.484891891 CEST	443	49802	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.596956015 CEST	49804	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.597039938 CEST	443	49804	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.597064018 CEST	49805	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.597130060 CEST	49804	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.597145081 CEST	443	49805	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.597219944 CEST	49805	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.597413063 CEST	49804	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.597434998 CEST	443	49804	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.597575903 CEST	49805	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.597609043 CEST	443	49805	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.661134958 CEST	443	49801	35.190.80.1	192.168.2.3
Oct 2, 2023 22:04:45.661524057 CEST	49801	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:04:45.661607027 CEST	443	49801	35.190.80.1	192.168.2.3
Oct 2, 2023 22:04:45.662266016 CEST	443	49801	35.190.80.1	192.168.2.3
Oct 2, 2023 22:04:45.662769079 CEST	49801	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:04:45.662769079 CEST	49801	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:04:45.662859917 CEST	443	49801	35.190.80.1	192.168.2.3
Oct 2, 2023 22:04:45.662940979 CEST	443	49801	35.190.80.1	192.168.2.3
Oct 2, 2023 22:04:45.695604086 CEST	443	49802	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.695847988 CEST	49802	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.695883989 CEST	443	49802	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.697321892 CEST	443	49802	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.697648048 CEST	49802	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.697787046 CEST	49802	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.697796106 CEST	443	49802	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.698088884 CEST	443	49802	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.703809023 CEST	49801	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:04:45.738714933 CEST	49802	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.812989950 CEST	443	49804	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.813209057 CEST	49804	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.813229084 CEST	443	49804	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.814086914 CEST	443	49804	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.814145088 CEST	49804	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.814466953 CEST	49804	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.814547062 CEST	443	49804	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.814618111 CEST	49804	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.814630985 CEST	443	49804	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.819220066 CEST	443	49805	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.819443941 CEST	49805	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.819477081 CEST	443	49805	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.822446108 CEST	443	49805	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.822509050 CEST	49805	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.822760105 CEST	49805	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.822835922 CEST	49805	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.822837114 CEST	443	49805	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.860357046 CEST	49804	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.870460033 CEST	443	49805	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.876024961 CEST	49805	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.876044035 CEST	443	49805	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.893163919 CEST	443	49801	35.190.80.1	192.168.2.3
Oct 2, 2023 22:04:45.893280983 CEST	443	49801	35.190.80.1	192.168.2.3
Oct 2, 2023 22:04:45.893433094 CEST	49801	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:04:45.895153999 CEST	49801	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:04:45.895184994 CEST	443	49801	35.190.80.1	192.168.2.3
Oct 2, 2023 22:04:45.922863960 CEST	49805	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.930731058 CEST	443	49802	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.930780888 CEST	443	49802	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.930810928 CEST	443	49802	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.930833101 CEST	49802	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.930860043 CEST	443	49802	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.930917025 CEST	49802	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.930924892 CEST	443	49802	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.930936098 CEST	443	49802	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:45.930968046 CEST	49802	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.932188988 CEST	49802	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:45.932200909 CEST	443	49802	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:46.042102098 CEST	443	49804	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:46.042165995 CEST	443	49804	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:46.042232990 CEST	49804	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:46.042946100 CEST	49804	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:46.042984962 CEST	443	49804	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:46.049935102 CEST	443	49805	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:46.050054073 CEST	443	49805	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:46.050123930 CEST	49805	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:46.050148964 CEST	443	49805	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:46.050180912 CEST	443	49805	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:46.050240040 CEST	49805	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:46.050282955 CEST	443	49805	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:46.050318956 CEST	443	49805	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:46.050383091 CEST	49805	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:46.051311970 CEST	49805	443	192.168.2.3	104.26.12.122
Oct 2, 2023 22:04:46.051342964 CEST	443	49805	104.26.12.122	192.168.2.3
Oct 2, 2023 22:04:48.820926905 CEST	49808	443	192.168.2.3	142.251.16.106
Oct 2, 2023 22:04:48.820954084 CEST	443	49808	142.251.16.106	192.168.2.3
Oct 2, 2023 22:04:48.821023941 CEST	49808	443	192.168.2.3	142.251.16.106
Oct 2, 2023 22:04:48.821439981 CEST	49808	443	192.168.2.3	142.251.16.106
Oct 2, 2023 22:04:48.821450949 CEST	443	49808	142.251.16.106	192.168.2.3
Oct 2, 2023 22:04:49.032177925 CEST	443	49808	142.251.16.106	192.168.2.3
Oct 2, 2023 22:04:49.032428980 CEST	49808	443	192.168.2.3	142.251.16.106
Oct 2, 2023 22:04:49.032438040 CEST	443	49808	142.251.16.106	192.168.2.3
Oct 2, 2023 22:04:49.033308029 CEST	443	49808	142.251.16.106	192.168.2.3
Oct 2, 2023 22:04:49.033363104 CEST	49808	443	192.168.2.3	142.251.16.106
Oct 2, 2023 22:04:49.034195900 CEST	49808	443	192.168.2.3	142.251.16.106
Oct 2, 2023 22:04:49.034240007 CEST	443	49808	142.251.16.106	192.168.2.3
Oct 2, 2023 22:04:49.076776981 CEST	49808	443	192.168.2.3	142.251.16.106
Oct 2, 2023 22:04:49.076787949 CEST	443	49808	142.251.16.106	192.168.2.3
Oct 2, 2023 22:04:49.123642921 CEST	49808	443	192.168.2.3	142.251.16.106
Oct 2, 2023 22:04:59.027826071 CEST	443	49808	142.251.16.106	192.168.2.3
Oct 2, 2023 22:04:59.027905941 CEST	443	49808	142.251.16.106	192.168.2.3
Oct 2, 2023 22:04:59.027961969 CEST	49808	443	192.168.2.3	142.251.16.106
Oct 2, 2023 22:05:00.414088964 CEST	49808	443	192.168.2.3	142.251.16.106
Oct 2, 2023 22:05:00.414134026 CEST	443	49808	142.251.16.106	192.168.2.3
Oct 2, 2023 22:05:44.892502069 CEST	49844	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:05:44.892576933 CEST	443	49844	35.190.80.1	192.168.2.3
Oct 2, 2023 22:05:44.892676115 CEST	49844	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:05:44.892909050 CEST	49844	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:05:44.892929077 CEST	443	49844	35.190.80.1	192.168.2.3
Oct 2, 2023 22:05:45.106362104 CEST	443	49844	35.190.80.1	192.168.2.3
Oct 2, 2023 22:05:45.106666088 CEST	49844	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:05:45.106697083 CEST	443	49844	35.190.80.1	192.168.2.3
Oct 2, 2023 22:05:45.107148886 CEST	443	49844	35.190.80.1	192.168.2.3
Oct 2, 2023 22:05:45.107492924 CEST	49844	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:05:45.107556105 CEST	443	49844	35.190.80.1	192.168.2.3
Oct 2, 2023 22:05:45.107609987 CEST	49844	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:05:45.150444031 CEST	443	49844	35.190.80.1	192.168.2.3
Oct 2, 2023 22:05:45.339204073 CEST	443	49844	35.190.80.1	192.168.2.3
Oct 2, 2023 22:05:45.339386940 CEST	443	49844	35.190.80.1	192.168.2.3
Oct 2, 2023 22:05:45.339453936 CEST	49844	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:05:45.339582920 CEST	49844	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:05:45.339629889 CEST	443	49844	35.190.80.1	192.168.2.3
Oct 2, 2023 22:05:45.339670897 CEST	49844	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:05:45.339693069 CEST	49844	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:05:45.340200901 CEST	49846	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:05:45.340231895 CEST	443	49846	35.190.80.1	192.168.2.3
Oct 2, 2023 22:05:45.340296030 CEST	49846	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:05:45.340464115 CEST	49846	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:05:45.340475082 CEST	443	49846	35.190.80.1	192.168.2.3
Oct 2, 2023 22:05:45.556756020 CEST	443	49846	35.190.80.1	192.168.2.3
Oct 2, 2023 22:05:45.557060003 CEST	49846	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:05:45.557096958 CEST	443	49846	35.190.80.1	192.168.2.3
Oct 2, 2023 22:05:45.558249950 CEST	443	49846	35.190.80.1	192.168.2.3
Oct 2, 2023 22:05:45.558630943 CEST	49846	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:05:45.558758020 CEST	49846	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:05:45.558769941 CEST	443	49846	35.190.80.1	192.168.2.3
Oct 2, 2023 22:05:45.558825016 CEST	443	49846	35.190.80.1	192.168.2.3
Oct 2, 2023 22:05:45.598083973 CEST	49846	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:05:45.789112091 CEST	443	49846	35.190.80.1	192.168.2.3
Oct 2, 2023 22:05:45.789280891 CEST	443	49846	35.190.80.1	192.168.2.3
Oct 2, 2023 22:05:45.789361000 CEST	49846	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:05:45.789419889 CEST	49846	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:05:45.789462090 CEST	443	49846	35.190.80.1	192.168.2.3
Oct 2, 2023 22:05:45.789489985 CEST	49846	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:05:45.789541960 CEST	49846	443	192.168.2.3	35.190.80.1
Oct 2, 2023 22:05:48.774935961 CEST	49848	443	192.168.2.3	142.251.16.106
Oct 2, 2023 22:05:48.775016069 CEST	443	49848	142.251.16.106	192.168.2.3
Oct 2, 2023 22:05:48.775147915 CEST	49848	443	192.168.2.3	142.251.16.106
Oct 2, 2023 22:05:48.775325060 CEST	49848	443	192.168.2.3	142.251.16.106
Oct 2, 2023 22:05:48.775347948 CEST	443	49848	142.251.16.106	192.168.2.3
Oct 2, 2023 22:05:48.993449926 CEST	443	49848	142.251.16.106	192.168.2.3
Oct 2, 2023 22:05:48.993793964 CEST	49848	443	192.168.2.3	142.251.16.106
Oct 2, 2023 22:05:48.993853092 CEST	443	49848	142.251.16.106	192.168.2.3
Oct 2, 2023 22:05:48.994611979 CEST	443	49848	142.251.16.106	192.168.2.3
Oct 2, 2023 22:05:48.995086908 CEST	49848	443	192.168.2.3	142.251.16.106
Oct 2, 2023 22:05:48.995223999 CEST	443	49848	142.251.16.106	192.168.2.3
Oct 2, 2023 22:05:49.039530993 CEST	49848	443	192.168.2.3	142.251.16.106
Oct 2, 2023 22:05:59.013161898 CEST	443	49848	142.251.16.106	192.168.2.3
Oct 2, 2023 22:05:59.013314009 CEST	443	49848	142.251.16.106	192.168.2.3
Oct 2, 2023 22:05:59.013370991 CEST	49848	443	192.168.2.3	142.251.16.106
Oct 2, 2023 22:06:00.415581942 CEST	49848	443	192.168.2.3	142.251.16.106
Oct 2, 2023 22:06:00.415649891 CEST	443	49848	142.251.16.106	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2023 22:04:44.274521112 CEST	50357	53	192.168.2.3	8.8.8.8
Oct 2, 2023 22:04:44.274650097 CEST	50598	53	192.168.2.3	8.8.8.8
Oct 2, 2023 22:04:44.275108099 CEST	63088	53	192.168.2.3	8.8.8.8
Oct 2, 2023 22:04:44.275350094 CEST	52726	53	192.168.2.3	8.8.8.8
Oct 2, 2023 22:04:44.275737047 CEST	65279	53	192.168.2.3	8.8.8.8
Oct 2, 2023 22:04:44.275899887 CEST	52643	53	192.168.2.3	8.8.8.8
Oct 2, 2023 22:04:44.381802082 CEST	53	52425	8.8.8.8	192.168.2.3
Oct 2, 2023 22:04:44.382769108 CEST	53	63088	8.8.8.8	192.168.2.3
Oct 2, 2023 22:04:44.383568048 CEST	53	65279	8.8.8.8	192.168.2.3
Oct 2, 2023 22:04:44.384448051 CEST	53	52643	8.8.8.8	192.168.2.3
Oct 2, 2023 22:04:44.386179924 CEST	53	50598	8.8.8.8	192.168.2.3
Oct 2, 2023 22:04:44.392697096 CEST	53	52726	8.8.8.8	192.168.2.3
Oct 2, 2023 22:04:44.401931047 CEST	53	50357	8.8.8.8	192.168.2.3
Oct 2, 2023 22:04:44.882023096 CEST	54711	53	192.168.2.3	8.8.8.8
Oct 2, 2023 22:04:44.882268906 CEST	58538	53	192.168.2.3	8.8.8.8
Oct 2, 2023 22:04:44.985100985 CEST	53	58538	8.8.8.8	192.168.2.3
Oct 2, 2023 22:04:44.988352060 CEST	53	54711	8.8.8.8	192.168.2.3
Oct 2, 2023 22:04:45.020453930 CEST	53	58663	8.8.8.8	192.168.2.3
Oct 2, 2023 22:04:45.484415054 CEST	58193	53	192.168.2.3	8.8.8.8
Oct 2, 2023 22:04:45.484606981 CEST	54477	53	192.168.2.3	8.8.8.8
Oct 2, 2023 22:04:45.591134071 CEST	53	58193	8.8.8.8	192.168.2.3
Oct 2, 2023 22:04:45.596359015 CEST	53	54477	8.8.8.8	192.168.2.3
Oct 2, 2023 22:04:48.713205099 CEST	65207	53	192.168.2.3	8.8.8.8
Oct 2, 2023 22:04:48.713583946 CEST	54165	53	192.168.2.3	8.8.8.8
Oct 2, 2023 22:04:48.813393116 CEST	53	54165	8.8.8.8	192.168.2.3
Oct 2, 2023 22:04:48.819675922 CEST	53	65207	8.8.8.8	192.168.2.3
Oct 2, 2023 22:05:02.203422070 CEST	53	49562	8.8.8.8	192.168.2.3
Oct 2, 2023 22:05:09.109405994 CEST	53	49650	8.8.8.8	192.168.2.3
Oct 2, 2023 22:05:19.743182898 CEST	53	55927	8.8.8.8	192.168.2.3
Oct 2, 2023 22:05:38.238466978 CEST	53	62549	8.8.8.8	192.168.2.3
Oct 2, 2023 22:05:43.992939949 CEST	53	63384	8.8.8.8	192.168.2.3
Oct 2, 2023 22:06:22.428034067 CEST	53	65316	8.8.8.8	192.168.2.3
Oct 2, 2023 22:07:38.956628084 CEST	53	62415	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2023 22:04:44.274521112 CEST	192.168.2.3	8.8.8.8	0x5241	Standard query (0)	nezurexternal.sell.app	A (IP address)	IN (0x0001)	false
Oct 2, 2023 22:04:44.274650097 CEST	192.168.2.3	8.8.8.8	0x8ed3	Standard query (0)	nezurexternal.sell.app	65	IN (0x0001)	false
Oct 2, 2023 22:04:44.275108099 CEST	192.168.2.3	8.8.8.8	0x9255	Standard query (0)	clients2.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2023 22:04:44.275350094 CEST	192.168.2.3	8.8.8.8	0x93ea	Standard query (0)	clients2.google.com	65	IN (0x0001)	false
Oct 2, 2023 22:04:44.275737047 CEST	192.168.2.3	8.8.8.8	0xa5e	Standard query (0)	accounts.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2023 22:04:44.275899887 CEST	192.168.2.3	8.8.8.8	0x4900	Standard query (0)	accounts.google.com	65	IN (0x0001)	false
Oct 2, 2023 22:04:44.882023096 CEST	192.168.2.3	8.8.8.8	0xda4d	Standard query (0)	a.nel.cloudflare.com	A (IP address)	IN (0x0001)	false
Oct 2, 2023 22:04:44.882268906 CEST	192.168.2.3	8.8.8.8	0x2d0a	Standard query (0)	a.nel.cloudflare.com	65	IN (0x0001)	false
Oct 2, 2023 22:04:45.484415054 CEST	192.168.2.3	8.8.8.8	0x9805	Standard query (0)	nezurexternal.sell.app	A (IP address)	IN (0x0001)	false
Oct 2, 2023 22:04:45.484606981 CEST	192.168.2.3	8.8.8.8	0xea88	Standard query (0)	nezurexternal.sell.app	65	IN (0x0001)	false
Oct 2, 2023 22:04:48.713205099 CEST	192.168.2.3	8.8.8.8	0xb1d0	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2023 22:04:48.713583946 CEST	192.168.2.3	8.8.8.8	0x51cc	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2023 22:04:44.382769108 CEST	8.8.8.8	192.168.2.3	0x9255	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2023 22:04:44.382769108 CEST	8.8.8.8	192.168.2.3	0x9255	No error (0)	clients.l.google.com		172.253.62.101	A (IP address)	IN (0x0001)	false
Oct 2, 2023 22:04:44.382769108 CEST	8.8.8.8	192.168.2.3	0x9255	No error (0)	clients.l.google.com		172.253.62.139	A (IP address)	IN (0x0001)	false
Oct 2, 2023 22:04:44.382769108 CEST	8.8.8.8	192.168.2.3	0x9255	No error (0)	clients.l.google.com		172.253.62.102	A (IP address)	IN (0x0001)	false
Oct 2, 2023 22:04:44.382769108 CEST	8.8.8.8	192.168.2.3	0x9255	No error (0)	clients.l.google.com		172.253.62.113	A (IP address)	IN (0x0001)	false
Oct 2, 2023 22:04:44.382769108 CEST	8.8.8.8	192.168.2.3	0x9255	No error (0)	clients.l.google.com		172.253.62.138	A (IP address)	IN (0x0001)	false
Oct 2, 2023 22:04:44.382769108 CEST	8.8.8.8	192.168.2.3	0x9255	No error (0)	clients.l.google.com		172.253.62.100	A (IP address)	IN (0x0001)	false
Oct 2, 2023 22:04:44.383568048 CEST	8.8.8.8	192.168.2.3	0xa5e	No error (0)	accounts.google.com		172.253.122.84	A (IP address)	IN (0x0001)	false
Oct 2, 2023 22:04:44.386179924 CEST	8.8.8.8	192.168.2.3	0x8ed3	No error (0)	nezurexternal.sell.app			65	IN (0x0001)	false
Oct 2, 2023 22:04:44.392697096 CEST	8.8.8.8	192.168.2.3	0x93ea	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2023 22:04:44.401931047 CEST	8.8.8.8	192.168.2.3	0x5241	No error (0)	nezurexternal.sell.app		104.26.12.122	A (IP address)	IN (0x0001)	false
Oct 2, 2023 22:04:44.401931047 CEST	8.8.8.8	192.168.2.3	0x5241	No error (0)	nezurexternal.sell.app		104.26.13.122	A (IP address)	IN (0x0001)	false
Oct 2, 2023 22:04:44.401931047 CEST	8.8.8.8	192.168.2.3	0x5241	No error (0)	nezurexternal.sell.app		172.67.72.62	A (IP address)	IN (0x0001)	false
Oct 2, 2023 22:04:44.988352060 CEST	8.8.8.8	192.168.2.3	0xda4d	No error (0)	a.nel.cloudflare.com		35.190.80.1	A (IP address)	IN (0x0001)	false
Oct 2, 2023 22:04:45.591134071 CEST	8.8.8.8	192.168.2.3	0x9805	No error (0)	nezurexternal.sell.app		104.26.12.122	A (IP address)	IN (0x0001)	false
Oct 2, 2023 22:04:45.591134071 CEST	8.8.8.8	192.168.2.3	0x9805	No error (0)	nezurexternal.sell.app		104.26.13.122	A (IP address)	IN (0x0001)	false
Oct 2, 2023 22:04:45.591134071 CEST	8.8.8.8	192.168.2.3	0x9805	No error (0)	nezurexternal.sell.app		172.67.72.62	A (IP address)	IN (0x0001)	false
Oct 2, 2023 22:04:45.596359015 CEST	8.8.8.8	192.168.2.3	0xea88	No error (0)	nezurexternal.sell.app			65	IN (0x0001)	false
Oct 2, 2023 22:04:48.813393116 CEST	8.8.8.8	192.168.2.3	0x51cc	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 2, 2023 22:04:48.819675922 CEST	8.8.8.8	192.168.2.3	0xb1d0	No error (0)	www.google.com		142.251.16.106	A (IP address)	IN (0x0001)	false
Oct 2, 2023 22:04:48.819675922 CEST	8.8.8.8	192.168.2.3	0xb1d0	No error (0)	www.google.com		142.251.16.103	A (IP address)	IN (0x0001)	false
Oct 2, 2023 22:04:48.819675922 CEST	8.8.8.8	192.168.2.3	0xb1d0	No error (0)	www.google.com		142.251.16.99	A (IP address)	IN (0x0001)	false
Oct 2, 2023 22:04:48.819675922 CEST	8.8.8.8	192.168.2.3	0xb1d0	No error (0)	www.google.com		142.251.16.147	A (IP address)	IN (0x0001)	false
Oct 2, 2023 22:04:48.819675922 CEST	8.8.8.8	192.168.2.3	0xb1d0	No error (0)	www.google.com		142.251.16.104	A (IP address)	IN (0x0001)	false
Oct 2, 2023 22:04:48.819675922 CEST	8.8.8.8	192.168.2.3	0xb1d0	No error (0)	www.google.com		142.251.16.105	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

nezurexternal.sell.app

clients2.google.com

accounts.google.com

https:

a.nel.cloudflare.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49797	104.26.12.122	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-10-02 20:04:44 UTC	0	OUT	GET /product/nezur-key-bypass-85-off?info=faq HTTP/1.1 Host: nezurexternal.sell.app Connection: keep-alive sec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-10-02 20:04:44 UTC	3	IN	HTTP/1.1 403 Forbidden Date: Mon, 02 Oct 2023 20:04:44 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4511 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Mon, 02 Oct 2023 20:04:59 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OGOGeFWSn19SqrVwNNT8K9sAKmaYduksihsDgIIySTxooK5dCARAYwXyCoyq10UMV8hx%2FmayycAzkEqN2kUn50Y2XA8vru4mO1Ft0u7WJkr6kTAcTWm1aghu3WNK3EaDAtKeTT%2Bm5K8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 80ff8e641a14241a-IAD alt-svc: h3=":443"; ma=86400
2023-10-02 20:04:44 UTC	4	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE
2023-10-02 20:04:44 UTC	4	IN	Data Raw: 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 5f 73 74 79 6c 65 73 2d 69 65 2d 63 73 73 27 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 Data Ascii: ="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEna
2023-10-02 20:04:44 UTC	6	IN	Data Raw: 6e 73 20 74 77 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 62 6c 6f 63 6b 65 64 5f 77 68 79 5f 68 65 61 64 6c 69 6e 65 22 3e 57 68 79 20 68 61 76 65 20 49 20 62 65 65 6e 20 62 6c 6f 63 6b 65 64 3f 3c 2f 68 32 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 62 6c 6f 63 6b 65 64 5f 77 68 79 5f 64 65 74 61 69 6c 22 3e 54 68 69 73 20 77 65 62 73 69 74 65 20 69 73 20 75 73 69 6e 67 20 61 20 73 65 63 75 72 69 74 79 20 73 65 72 76 69 63 65 20 74 6f 20 70 72 6f 74 65 63 74 20 69 74 73 65 6c 66 20 66 72 6f 6d 20 6f 6e 6c 69 6e 65 20 61 74 74 61 63 Data Ascii: ns two"> <div class="cf-column"> <h2 data-translate="blocked_why_headline">Why have I been blocked?</h2> <p data-translate="blocked_why_detail">This website is using a security service to protect itself from online attac
2023-10-02 20:04:44 UTC	7	IN	Data Raw: 6d 62 2d 31 22 3e 0a 20 20 20 20 20 20 59 6f 75 72 20 49 50 3a 0a 20 20 20 20 20 20 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 22 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 2d 62 74 6e 22 3e 43 6c 69 63 6b 20 74 6f 20 72 65 76 65 61 6c 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 68 69 64 64 65 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 3e 31 30 32 2e 31 36 35 2e 34 38 2e 38 34 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c Data Ascii: mb-1"> Your IP: <button type="button" id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">102.165.48.84</span> <span class="cf-footer-separator sm:hidden">•<

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49795	172.253.62.101	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-10-02 20:04:44 UTC	0	OUT	GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=115.0.5790.171&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1 Host: clients2.google.com Connection: keep-alive X-Goog-Update-Interactivity: fg X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda X-Goog-Update-Updater: chromecrx-115.0.5790.171 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-10-02 20:04:44 UTC	2	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-zwiy6Y2ZUV08d2mBO2iyeA' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 02 Oct 2023 20:04:44 GMT Content-Type: text/xml; charset=UTF-8 X-Daynum: 6118 X-Daystart: 47084 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-10-02 20:04:44 UTC	2	IN	Data Raw: 32 63 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 36 31 31 38 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 34 37 30 38 34 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 Data Ascii: 2c9<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="6118" elapsed_seconds="47084"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
2023-10-02 20:04:44 UTC	3	IN	Data Raw: 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 2f 67 75 70 64 61 74 65 3e 0d 0a Data Ascii: 723f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app></gupdate>
2023-10-02 20:04:44 UTC	3	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.3	49805	104.26.12.122	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-10-02 20:04:45 UTC	43	OUT	GET /cdn-cgi/images/cf-no-screenshot-error.png HTTP/1.1 Host: nezurexternal.sell.app Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-10-02 20:04:46 UTC	50	IN	HTTP/1.1 200 OK Date: Mon, 02 Oct 2023 20:04:45 GMT Content-Type: image/png Content-Length: 3213 Connection: close Last-Modified: Wed, 27 Sep 2023 11:52:30 GMT ETag: "6514177e-c8d" Server: cloudflare CF-RAY: 80ff8e6b69f09c79-IAD X-Frame-Options: DENY X-Content-Type-Options: nosniff Expires: Mon, 02 Oct 2023 22:04:45 GMT Cache-Control: max-age=7200 Cache-Control: public Accept-Ranges: bytes
2023-10-02 20:04:46 UTC	50	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 b2 00 00 00 af 08 03 00 00 00 6e 1c 74 1f 00 00 02 d0 50 4c 54 45 00 00 00 ff ff ff ff 80 80 ff 55 55 bf 40 40 cc 33 33 d4 2a 2a db 24 49 bf 40 40 c6 39 39 cc 33 33 d1 2e 2e bf 2a 2a c4 27 27 c8 24 37 cc 33 33 bf 30 30 c3 2d 2d c6 2a 2a c9 28 28 bf 26 26 c2 24 31 c5 2e 2e bc 2c 2c bf 2a 2a c2 29 29 c4 27 27 bd 26 2f bf 24 2e c1 2c 2c c3 2a 2a bd 29 29 bf 28 28 c1 27 27 bf 2a 2a c1 29 29 c3 28 28 be 27 27 bf 26 26 c1 25 2c c2 24 2a be 2a 2a bf 29 29 c1 28 28 bc 27 27 be 26 26 bf 25 2a c1 24 2a bd 29 29 be 28 28 c0 26 26 bd 26 2a be 25 2a bf 24 29 bd 28 28 be 27 27 bf 26 26 c0 26 2a bd 25 29 be 24 28 bf 24 28 bc 27 27 bd 27 27 be 26 26 bc 25 29 bd 24 28 bf 27 27 bd 26 26 be 25 29 bf 25 28 bd 24 28 be Data Ascii: PNGIHDRntPLTEUU@@33$I@@9933..''$73300--((&&$1..,,))''&/$.,,))((''))((''&&%,$**))((''&&%$))((&&&%$)((''&&&%)$($(''''&&%)$(''&&%)%($(
2023-10-02 20:04:46 UTC	51	IN	Data Raw: ca cb cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db dc dd de df e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb fc fd fe 34 dd b2 71 00 00 08 7d 49 44 41 54 78 da ed 9d fb 5f 15 45 18 c6 e7 20 1c f1 88 02 e2 51 10 31 b3 bc e5 35 6f 69 9a a4 26 59 26 9a 5a 26 11 69 a2 e2 a5 d2 cc 22 af 05 6a 9a a2 96 9a 8a 22 9a e2 5d b9 69 89 a9 a0 88 5c 2d 4d 25 c5 6b 2a 06 04 bc ff 42 de 15 98 dd 79 67 76 76 f7 d4 e7 3c 3f cf 3e f3 65 d9 9d 79 e7 9d 77 e7 10 e2 94 53 4e fd cf 54 d7 db f5 bf 80 e9 d6 26 68 dc 9c d8 a4 13 e7 8b e1 81 ae 15 a4 ed 58 3e 7d 54 9f c6 8e 48 5b a7 67 c4 ba cc 52 50 d2 95 a4 e8 91 2d 1c 08 d7 d6 6f 76 5a 19 b0 55 b4 29 cc 21 b0 1b 86 24 fc 0d 78 fd 1e d5 bb 96 a9 bc 9e a1 fb cb 81 57 45 8b 7b 59 4c e2 75 e9 Data Ascii: 4q}IDATx_E Q15oi&Y&Z&i"j"]i\-M%k*Bygvv<?>eywSNT&hX>}TH[gRP-ovZU)!$xWE{YLu
2023-10-02 20:04:46 UTC	52	IN	Data Raw: 8b e8 91 cc 89 ac f0 09 f4 67 5c 26 19 0d 89 06 d9 f6 73 75 56 a9 f0 08 0e e0 31 39 6e 67 54 c5 4f b2 4a 8c f8 73 15 5c 1a 70 94 4d 66 32 88 5d 63 59 79 a4 3a 3c 01 c2 2a 25 17 7c a0 75 92 45 bc 81 67 af 8d ad 31 4a 26 31 58 87 2c c6 e7 b1 6e 1b ee 37 db cc d8 9b c0 7f 51 a1 58 7e 3d 0c 69 70 8a 71 10 8a 75 e3 a3 ac 30 83 19 3b 46 fd a9 58 4e 61 c7 3d cc d9 be 48 62 80 8d 6e ea 2d 37 e0 90 57 2b 5b a0 a2 2c 56 7d 45 95 7b b7 41 bd 04 d9 15 f7 6c 8c 52 76 98 81 b8 9c b5 93 6e 8d af d2 7c bd 3a b3 0f e6 db bc 72 95 97 bd 23 fb f2 42 c6 9e a9 75 73 b5 0b d6 aa 33 63 86 e7 24 35 03 f6 ba 9d 51 b5 46 19 05 54 bf 85 b3 9c 46 20 87 ab f5 c8 ae b4 eb c3 3f 6e fd a0 c2 3c 0e 41 5c d1 4c ad cb 17 45 43 aa 27 bb ed 14 ad 50 64 0e c6 04 bc 89 ea ff 58 e6 c1 01 67 7c Data Ascii: g\&suV19ngTOJs\pMf2]cYy:<*%\|uEg1J&1X,n7QX~=ipqu0;FXNa=Hbn-7W+[,V}E{AlRvn\|:r#Bus3c$5QFTF ?n<A\LEC'PdXg\|

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.3	49844	35.190.80.1	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-10-02 20:05:45 UTC	53	OUT	OPTIONS /report/v3?s=3y49IfOROrJ6ROX%2BFesMXv620No%2FsmuBRJRLLp27AOefsTSDXkjeMozJknjdyF%2BRnYPbr6FBxLBTslD1eS%2BW10zXZbCzLHruuSmeiXOL6DPvGsDbmxronU%2FiM2YPFm9TO3QODogO5zM%3D HTTP/1.1 Host: a.nel.cloudflare.com Connection: keep-alive Origin: https://nezurexternal.sell.app Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-10-02 20:05:45 UTC	54	IN	HTTP/1.1 200 OK content-length: 0 access-control-max-age: 86400 access-control-allow-methods: POST, OPTIONS access-control-allow-origin: * access-control-allow-headers: content-type, content-length date: Mon, 02 Oct 2023 20:05:44 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.3	49846	35.190.80.1	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-10-02 20:05:45 UTC	54	OUT	POST /report/v3?s=3y49IfOROrJ6ROX%2BFesMXv620No%2FsmuBRJRLLp27AOefsTSDXkjeMozJknjdyF%2BRnYPbr6FBxLBTslD1eS%2BW10zXZbCzLHruuSmeiXOL6DPvGsDbmxronU%2FiM2YPFm9TO3QODogO5zM%3D HTTP/1.1 Host: a.nel.cloudflare.com Connection: keep-alive Content-Length: 478 Content-Type: application/reports+json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-10-02 20:05:45 UTC	55	OUT	Data Raw: 5b 7b 22 61 67 65 22 3a 35 38 39 36 30 2c 22 62 6f 64 79 22 3a 7b 22 65 6c 61 70 73 65 64 5f 74 69 6d 65 22 3a 34 34 37 2c 22 6d 65 74 68 6f 64 22 3a 22 47 45 54 22 2c 22 70 68 61 73 65 22 3a 22 61 70 70 6c 69 63 61 74 69 6f 6e 22 2c 22 70 72 6f 74 6f 63 6f 6c 22 3a 22 68 74 74 70 2f 31 2e 31 22 2c 22 72 65 66 65 72 72 65 72 22 3a 22 68 74 74 70 73 3a 2f 2f 6e 65 7a 75 72 65 78 74 65 72 6e 61 6c 2e 73 65 6c 6c 2e 61 70 70 2f 70 72 6f 64 75 63 74 2f 6e 65 7a 75 72 2d 6b 65 79 2d 62 79 70 61 73 73 2d 38 35 2d 6f 66 66 3f 69 6e 66 6f 3d 66 61 71 22 2c 22 73 61 6d 70 6c 69 6e 67 5f 66 72 61 63 74 69 6f 6e 22 3a 31 2e 30 2c 22 73 65 72 76 65 72 5f 69 70 22 3a 22 31 30 34 2e 32 36 2e 31 32 2e 31 32 32 22 2c 22 73 74 61 74 75 73 5f 63 6f 64 65 22 3a 34 30 33 2c Data Ascii: [{"age":58960,"body":{"elapsed_time":447,"method":"GET","phase":"application","protocol":"http/1.1","referrer":"https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faq","sampling_fraction":1.0,"server_ip":"104.26.12.122","status_code":403,
2023-10-02 20:05:45 UTC	55	IN	HTTP/1.1 200 OK content-length: 0 date: Mon, 02 Oct 2023 20:05:45 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49794	172.253.122.84	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-10-02 20:04:44 UTC	1	OUT	POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1 Host: accounts.google.com Connection: keep-alive Content-Length: 1 Origin: https://www.google.com Content-Type: application/x-www-form-urlencoded Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: CONSENT=PENDING+904; AEC=Ad49MVGiijyX5dxPFAKxKYso-rIS24Ht-Pxs5fU9hHrAzfASnm-jqdQE1g; NID=511=WyMJovC2uA2AEbHQkGfP-KDdYCeg5Q7Mv6gxYT-qeugtrnXImrhmp1SixwS4ydh_E8Z0hdfCLAXvg2WUqsBSfqpx5SFvCCoeGeevqlEfkoxYi9FTISb8Cu7rr5rf9PyyNbLqf2QbxG7ja7jAB6UJQd5CPvMGcYUasORCRKRL1-arNYzfADAWHJvBLXml-Km_uewDreOyJ-MjxAI-i38Tl6LXI3zB; 1P_JAR=2023-09-25-08
2023-10-02 20:04:44 UTC	2	OUT	Data Raw: 20 Data Ascii:
2023-10-02 20:04:44 UTC	9	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Access-Control-Allow-Origin: https://www.google.com Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 02 Oct 2023 20:04:44 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-0dyxlJ2N4nb96m9gvcRWSA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factor=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-10-02 20:04:44 UTC	10	IN	Data Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a Data Ascii: 11["gaia.l.a.r",[]]
2023-10-02 20:04:44 UTC	10	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49796	104.26.12.122	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-10-02 20:04:44 UTC	8	OUT	GET /cdn-cgi/styles/cf.errors.css HTTP/1.1 Host: nezurexternal.sell.app Connection: keep-alive sec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: text/css,/;q=0.1 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: style Referer: https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faq Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-10-02 20:04:44 UTC	10	IN	HTTP/1.1 200 OK Date: Mon, 02 Oct 2023 20:04:44 GMT Content-Type: text/css Content-Length: 24132 Connection: close Last-Modified: Wed, 27 Sep 2023 11:52:30 GMT ETag: "6514177e-5e44" Server: cloudflare CF-RAY: 80ff8e64dadc084d-IAD X-Frame-Options: DENY X-Content-Type-Options: nosniff Expires: Mon, 02 Oct 2023 22:04:44 GMT Cache-Control: max-age=7200 Cache-Control: public Accept-Ranges: bytes
2023-10-02 20:04:44 UTC	11	IN	Data Raw: 23 63 66 2d 77 72 61 70 70 65 72 20 61 2c 23 63 66 2d 77 72 61 70 70 65 72 20 61 62 62 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 61 72 74 69 63 6c 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 61 73 69 64 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 62 2c 23 63 66 2d 77 72 61 70 70 65 72 20 62 69 67 2c 23 63 66 2d 77 72 61 70 70 65 72 20 62 6c 6f 63 6b 71 75 6f 74 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 62 6f 64 79 2c 23 63 66 2d 77 72 61 70 70 65 72 20 63 61 6e 76 61 73 2c 23 63 66 2d 77 72 61 70 70 65 72 20 63 61 70 74 69 6f 6e 2c 23 63 66 2d 77 72 61 70 70 65 72 20 63 65 6e 74 65 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 63 69 74 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 63 6f 64 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 64 64 2c 23 63 66 2d 77 72 61 70 70 Data Ascii: #cf-wrapper a,#cf-wrapper abbr,#cf-wrapper article,#cf-wrapper aside,#cf-wrapper b,#cf-wrapper big,#cf-wrapper blockquote,#cf-wrapper body,#cf-wrapper canvas,#cf-wrapper caption,#cf-wrapper center,#cf-wrapper cite,#cf-wrapper code,#cf-wrapper dd,#cf-wrapp
2023-10-02 20:04:44 UTC	12	IN	Data Raw: 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 74 72 6f 6e 67 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 75 62 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 75 6d 6d 61 72 79 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 75 70 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 61 62 6c 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 62 6f 64 79 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 64 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 66 6f 6f 74 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 68 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 68 65 61 64 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 74 2c 23 63 66 2d 77 72 61 70 70 65 72 20 75 2c 23 63 66 2d 77 72 61 70 70 65 72 20 75 6c 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 62 6f Data Ascii: e,#cf-wrapper strong,#cf-wrapper sub,#cf-wrapper summary,#cf-wrapper sup,#cf-wrapper table,#cf-wrapper tbody,#cf-wrapper td,#cf-wrapper tfoot,#cf-wrapper th,#cf-wrapper thead,#cf-wrapper tr,#cf-wrapper tt,#cf-wrapper u,#cf-wrapper ul{margin:0;padding:0;bo
2023-10-02 20:04:44 UTC	13	IN	Data Raw: 31 2e 35 21 69 6d 70 6f 72 74 61 6e 74 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 21 69 6d 70 6f 72 74 61 6e 74 3b 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 74 61 70 2d 68 69 67 68 6c 69 67 68 74 2d 63 6f 6c 6f 72 3a 72 67 62 61 28 32 34 36 2c 31 33 39 2c 33 31 2c 2e 33 29 3b 2d 77 65 62 6b 69 74 2d 66 6f 6e 74 2d 73 6d 6f 6f 74 68 69 6e 67 3a 61 6e 74 69 61 6c 69 61 73 65 64 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 73 65 63 74 69 6f 6e 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 65 63 74 69 6f 6e 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 30 20 30 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 32 65 6d 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 65 6d Data Ascii: 1.5!important;text-decoration:none!important;letter-spacing:normal;-webkit-tap-highlight-color:rgba(246,139,31,.3);-webkit-font-smoothing:antialiased}#cf-wrapper .cf-section,#cf-wrapper section{background:0 0;display:block;margin-bottom:2em;margin-top:2em
2023-10-02 20:04:44 UTC	14	IN	Data Raw: 6c 64 28 32 6e 29 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 63 6f 6c 73 2d 34 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69 6c 64 28 32 6e 29 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 66 6f 75 72 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69 6c 64 28 32 6e 29 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 74 77 6f 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69 6c 64 28 32 6e 29 7b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 32 32 2e 35 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 63 6f 6c 73 2d 32 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69 Data Ascii: ld(2n),#cf-wrapper .cf-columns.cols-4>.cf-column:nth-child(2n),#cf-wrapper .cf-columns.four>.cf-column:nth-child(2n),#cf-wrapper .cf-columns.two>.cf-column:nth-child(2n){padding-left:22.5px;padding-right:0}#cf-wrapper .cf-columns.cols-2>.cf-column:nth-chi
2023-10-02 20:04:44 UTC	16	IN	Data Raw: 29 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 66 6f 75 72 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69 6c 64 28 6f 64 64 29 7b 63 6c 65 61 72 3a 6e 6f 6e 65 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 63 6f 6c 73 2d 34 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 66 69 72 73 74 2d 63 68 69 6c 64 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 63 6f 6c 73 2d 34 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69 6c 64 28 34 6e 2b 31 29 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 66 6f 75 72 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 66 69 72 73 74 2d 63 68 69 6c 64 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 Data Ascii: ),#cf-wrapper .cf-columns.four>.cf-column:nth-child(odd){clear:none}#cf-wrapper .cf-columns.cols-4>.cf-column:first-child,#cf-wrapper .cf-columns.cols-4>.cf-column:nth-child(4n+1),#cf-wrapper .cf-columns.four>.cf-column:first-child,#cf-wrapper .cf-columns
2023-10-02 20:04:44 UTC	17	IN	Data Raw: 30 3b 70 61 64 64 69 6e 67 3a 30 7d 23 63 66 2d 77 72 61 70 70 65 72 20 68 31 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 32 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 33 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 23 63 66 2d 77 72 61 70 70 65 72 20 68 34 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 35 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 36 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 74 72 6f 6e 67 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 36 30 30 7d 23 63 66 2d 77 72 61 70 70 65 72 20 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 33 36 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 7d 23 63 66 2d 77 72 61 70 70 65 72 20 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 33 30 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 33 7d 23 63 66 2d 77 72 61 70 70 65 Data Ascii: 0;padding:0}#cf-wrapper h1,#cf-wrapper h2,#cf-wrapper h3{font-weight:400}#cf-wrapper h4,#cf-wrapper h5,#cf-wrapper h6,#cf-wrapper strong{font-weight:600}#cf-wrapper h1{font-size:36px;line-height:1.2}#cf-wrapper h2{font-size:30px;line-height:1.3}#cf-wrappe
2023-10-02 20:04:44 UTC	18	IN	Data Raw: 68 32 2b 68 34 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 32 2b 68 35 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 32 2b 68 36 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 33 2b 68 35 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 33 2b 68 36 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 33 2b 70 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 34 2b 70 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 35 2b 6f 6c 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 35 2b 70 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 35 2b 75 6c 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2e 35 65 6d 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 39 39 39 3b 63 6f 6c Data Ascii: h2+h4,#cf-wrapper h2+h5,#cf-wrapper h2+h6,#cf-wrapper h3+h5,#cf-wrapper h3+h6,#cf-wrapper h3+p,#cf-wrapper h4+p,#cf-wrapper h5+ol,#cf-wrapper h5+p,#cf-wrapper h5+ul{margin-top:.5em}#cf-wrapper .cf-btn{background-color:transparent;border:1px solid #999;col
2023-10-02 20:04:44 UTC	20	IN	Data Raw: 3a 23 36 32 61 31 64 38 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 31 36 33 39 35 39 3b 63 6f 6c 6f 72 3a 23 66 66 66 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 2d 64 61 6e 67 65 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 2d 65 72 72 6f 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 2d 69 6d 70 6f 72 74 61 6e 74 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 62 64 32 34 32 36 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 63 6f 6c 6f 72 3a 23 66 66 66 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 2d 64 61 6e 67 65 72 3a 68 6f 76 65 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 2d 65 72 72 6f 72 3a 68 6f 76 65 72 2c 23 Data Ascii: :#62a1d8;border:1px solid #163959;color:#fff}#cf-wrapper .cf-btn-danger,#cf-wrapper .cf-btn-error,#cf-wrapper .cf-btn-important{background-color:#bd2426;border-color:transparent;color:#fff}#cf-wrapper .cf-btn-danger:hover,#cf-wrapper .cf-btn-error:hover,#
2023-10-02 20:04:44 UTC	21	IN	Data Raw: 61 63 65 3a 6e 6f 77 72 61 70 7d 23 63 66 2d 77 72 61 70 70 65 72 20 69 6e 70 75 74 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 65 6c 65 63 74 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 65 78 74 61 72 65 61 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 39 39 39 21 69 6d 70 6f 72 74 61 6e 74 3b 63 6f 6c 6f 72 3a 23 34 30 34 30 34 30 21 69 6d 70 6f 72 74 61 6e 74 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 36 36 36 37 65 6d 21 69 6d 70 6f 72 74 61 6e 74 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 34 21 69 6d 70 6f 72 74 61 6e 74 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 65 6d 21 69 6d 70 6f 72 74 61 6e 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 30 25 21 69 6d 70 6f 72 74 61 6e Data Ascii: ace:nowrap}#cf-wrapper input,#cf-wrapper select,#cf-wrapper textarea{background:#fff!important;border:1px solid #999!important;color:#404040!important;font-size:.86667em!important;line-height:1.24!important;margin:0 0 1em!important;max-width:100%!importan
2023-10-02 20:04:44 UTC	22	IN	Data Raw: 3a 23 34 30 34 30 34 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 70 61 64 64 69 6e 67 3a 37 2e 35 70 78 20 31 35 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 6d 69 64 64 6c 65 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 32 70 78 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 61 6c 65 72 74 3a 65 6d 70 74 79 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 61 6c 65 72 74 20 2e 63 66 2d 63 6c 6f 73 65 7b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 63 6f 6c 6f 72 3a 69 6e 68 65 72 69 74 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 2e 37 35 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 3b 70 61 64 64 69 6e Data Ascii: :#404040;font-size:13px;padding:7.5px 15px;position:relative;vertical-align:middle;border-radius:2px}#cf-wrapper .cf-alert:empty{display:none}#cf-wrapper .cf-alert .cf-close{border:1px solid transparent;color:inherit;font-size:18.75px;line-height:1;paddin
2023-10-02 20:04:44 UTC	24	IN	Data Raw: 70 65 72 20 23 63 66 2d 65 72 72 6f 72 2d 62 61 6e 6e 65 72 20 70 7b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 69 6e 6c 69 6e 65 2d 73 74 61 63 6b 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 6f 74 74 6f 6d 3b 7a 6f 6f 6d 3a 31 7d 23 63 66 2d 77 72 61 70 70 65 72 20 23 63 66 2d 65 72 72 6f 72 2d 62 61 6e 6e 65 72 20 68 34 7b 63 6f 6c 6f 72 3a 23 32 66 37 62 62 66 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 32 30 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 7d 23 63 66 2d 77 72 61 70 70 65 72 20 23 63 66 2d 65 72 72 6f 72 2d 62 61 6e 6e 65 72 20 2e 63 66 2d 65 72 72 6f 72 2d 61 63 Data Ascii: per #cf-error-banner p{display:-moz-inline-stack;display:inline-block;vertical-align:bottom;zoom:1}#cf-wrapper #cf-error-banner h4{color:#2f7bbf;font-weight:400;font-size:20px;line-height:1;vertical-align:baseline}#cf-wrapper #cf-error-banner .cf-error-ac
2023-10-02 20:04:44 UTC	25	IN	Data Raw: 65 77 20 68 31 2c 23 63 66 2d 77 72 61 70 70 65 72 20 23 63 66 2d 65 72 72 6f 72 2d 64 65 74 61 69 6c 73 20 2e 63 66 2d 65 72 72 6f 72 2d 6f 76 65 72 76 69 65 77 20 68 32 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 33 30 30 7d 23 63 66 2d 77 72 61 70 70 65 72 20 23 63 66 2d 65 72 72 6f 72 2d 64 65 74 61 69 6c 73 20 2e 63 66 2d 65 72 72 6f 72 2d 6f 76 65 72 76 69 65 77 20 68 32 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 7d 23 63 66 2d 77 72 61 70 70 65 72 20 23 63 66 2d 65 72 72 6f 72 2d 64 65 74 61 69 6c 73 20 2e 63 66 2d 68 69 67 68 6c 69 67 68 74 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 65 62 65 62 65 62 3b 6f 76 65 72 66 6c 6f 77 2d 78 3a 68 69 64 64 65 6e 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 Data Ascii: ew h1,#cf-wrapper #cf-error-details .cf-error-overview h2{font-weight:300}#cf-wrapper #cf-error-details .cf-error-overview h2{margin-top:0}#cf-wrapper #cf-error-details .cf-highlight{background:#ebebeb;overflow-x:hidden;padding:30px 0;background-image:-we
2023-10-02 20:04:44 UTC	26	IN	Data Raw: 3a 2d 36 30 70 78 3b 63 6f 6e 74 65 6e 74 3a 22 22 3b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 38 70 78 20 73 6f 6c 69 64 20 23 66 66 66 3b 62 6f 72 64 65 72 2d 6c 65 66 74 3a 32 30 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 62 6f 72 64 65 72 2d 72 69 67 68 74 3a 32 30 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 68 65 69 67 68 74 3a 30 3b 6c 65 66 74 3a 35 30 25 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 39 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 72 69 67 68 74 3a 35 30 25 3b 77 69 64 74 68 3a 30 7d 23 63 66 2d 77 72 61 70 70 65 72 20 23 63 66 2d 65 72 72 6f 72 2d 64 65 74 61 69 6c 73 20 2e 63 66 2d 73 74 61 74 75 73 2d 69 74 65 6d 2b 2e 63 66 2d 73 74 Data Ascii: :-60px;content:"";display:none;border-bottom:18px solid #fff;border-left:20px solid transparent;border-right:20px solid transparent;height:0;left:50%;margin-left:-9px;position:absolute;right:50%;width:0}#cf-wrapper #cf-error-details .cf-status-item+.cf-st
2023-10-02 20:04:44 UTC	28	IN	Data Raw: 76 65 72 66 6c 6f 77 3a 65 6c 6c 69 70 73 69 73 3b 77 69 64 74 68 3a 31 30 30 25 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 6e 6f 77 72 61 70 7d 23 63 66 2d 77 72 61 70 70 65 72 20 23 63 66 2d 65 72 72 6f 72 2d 64 65 74 61 69 6c 73 20 2e 63 66 2d 73 74 61 74 75 73 2d 64 65 73 63 3a 65 6d 70 74 79 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 23 63 66 2d 77 72 61 70 70 65 72 20 23 63 66 2d 65 72 72 6f 72 2d 64 65 74 61 69 6c 73 20 2e 63 66 2d 65 72 72 6f 72 2d 66 6f 6f 74 65 72 7b 70 61 64 64 69 6e 67 3a 31 2e 33 33 33 33 33 65 6d 20 30 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 31 70 78 20 73 6f 6c 69 64 20 23 65 62 65 62 65 62 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 23 63 66 2d 77 72 61 70 70 65 72 20 23 63 66 2d 65 72 72 6f 72 2d 64 65 74 61 69 6c 73 Data Ascii: verflow:ellipsis;width:100%;white-space:nowrap}#cf-wrapper #cf-error-details .cf-status-desc:empty{display:none}#cf-wrapper #cf-error-details .cf-error-footer{padding:1.33333em 0;border-top:1px solid #ebebeb;text-align:center}#cf-wrapper #cf-error-details
2023-10-02 20:04:44 UTC	29	IN	Data Raw: 61 72 2e 70 6e 67 3f 31 33 37 36 37 35 35 36 33 37 29 20 6e 6f 2d 72 65 70 65 61 74 20 23 66 66 66 3b 6d 61 78 2d 68 65 69 67 68 74 3a 34 30 30 70 78 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 30 25 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 35 33 70 78 3b 77 69 64 74 68 3a 39 36 30 70 78 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 35 70 78 20 35 70 78 20 30 20 30 7d 23 63 66 2d 77 72 61 70 70 65 72 20 23 63 66 2d 65 72 72 6f 72 2d 64 65 74 61 69 6c 73 20 2e 63 66 2d 73 63 72 65 65 6e 73 68 6f 74 2d 63 6f 6e 74 61 69 6e 65 72 20 2e 63 66 2d 6e 6f 2d 73 63 72 65 65 6e 73 68 6f 74 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 63 64 6e 2d 63 67 69 2f 69 6d 61 67 65 73 2f 63 66 2d 6e 6f 2d 73 63 72 65 65 6e 73 68 Data Ascii: ar.png?1376755637) no-repeat #fff;max-height:400px;max-width:100%;overflow:hidden;padding-top:53px;width:960px;border-radius:5px 5px 0 0}#cf-wrapper #cf-error-details .cf-screenshot-container .cf-no-screenshot{background:url(/cdn-cgi/images/cf-no-screensh
2023-10-02 20:04:44 UTC	30	IN	Data Raw: 6e 6f 2d 72 65 70 65 61 74 3b 68 65 69 67 68 74 3a 37 37 70 78 3b 77 69 64 74 68 3a 31 35 31 70 78 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 69 63 6f 6e 2d 73 65 72 76 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 63 64 6e 2d 63 67 69 2f 69 6d 61 67 65 73 2f 63 66 2d 69 63 6f 6e 2d 73 65 72 76 65 72 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 68 65 69 67 68 74 3a 37 35 70 78 3b 77 69 64 74 68 3a 39 35 70 78 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 69 63 6f 6e 2d 72 61 69 6c 67 75 6e 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 30 20 2d 38 34 38 70 78 3b 68 65 69 67 68 74 3a 38 31 70 78 3b 77 69 64 74 68 3a 39 35 70 78 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 61 72 65 74 7b 62 6f 72 64 65 72 Data Ascii: no-repeat;height:77px;width:151px}#cf-wrapper .cf-icon-server{background:url(/cdn-cgi/images/cf-icon-server.png) no-repeat;height:75px;width:95px}#cf-wrapper .cf-icon-railgun{background-position:0 -848px;height:81px;width:95px}#cf-wrapper .cf-caret{border
2023-10-02 20:04:44 UTC	32	IN	Data Raw: 74 75 73 2d 69 74 65 6d 7b 62 6f 72 64 65 72 3a 30 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 30 7d 23 63 66 2d 77 72 61 70 70 65 72 20 23 63 66 2d 65 72 72 6f 72 2d 64 65 74 61 69 6c 73 20 2e 63 66 2d 73 74 61 74 75 73 2d 69 74 65 6d 2b 2e 63 66 2d 73 74 61 74 75 73 2d 69 74 65 6d 3a 62 65 66 6f 72 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 30 20 2d 35 34 34 70 78 3b 68 65 69 67 68 74 3a 32 34 2e 37 35 70 78 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 33 37 2e 35 70 78 3b 77 69 64 74 68 3a 37 35 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65 3a 31 33 31 2e 32 35 70 78 20 61 75 74 6f 7d 23 63 66 2d 77 72 61 70 70 65 72 20 23 63 66 2d 65 72 72 6f 72 2d 64 65 74 61 69 6c 73 20 2e 63 66 2d 69 63 6f 6e 2d 65 72 72 6f 72 2d 63 6f 6e 74 Data Ascii: tus-item{border:0;padding-top:0}#cf-wrapper #cf-error-details .cf-status-item+.cf-status-item:before{background-position:0 -544px;height:24.75px;margin-left:-37.5px;width:75px;background-size:131.25px auto}#cf-wrapper #cf-error-details .cf-icon-error-cont
2023-10-02 20:04:44 UTC	33	IN	Data Raw: 72 61 70 70 65 72 20 23 63 66 2d 65 72 72 6f 72 2d 62 61 6e 6e 65 72 20 2e 63 66 2d 64 65 74 61 69 6c 73 2d 6c 69 6e 6b 7b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 2e 35 65 6d 7d 23 63 66 2d 77 72 61 70 70 65 72 20 23 63 66 2d 65 72 72 6f 72 2d 62 61 6e 6e 65 72 20 2e 63 66 2d 65 72 72 6f 72 2d 61 63 74 69 6f 6e 73 7b 66 6c 6f 61 74 3a 72 69 67 68 74 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 30 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 3b 77 69 64 74 68 3a 61 75 74 6f 7d 23 63 66 2d 77 72 61 70 70 65 72 20 23 63 66 2d 65 72 72 6f 72 2d 64 65 74 61 69 6c 73 20 2e 63 66 2d 73 74 61 74 75 73 2d 69 74 65 6d 2b 2e 63 66 2d 73 74 61 74 75 73 2d 69 74 65 6d 3a 62 65 66 6f 72 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 30 20 2d 37 Data Ascii: rapper #cf-error-banner .cf-details-link{padding-right:.5em}#cf-wrapper #cf-error-banner .cf-error-actions{float:right;margin-bottom:0;text-align:left;width:auto}#cf-wrapper #cf-error-details .cf-status-item+.cf-status-item:before{background-position:0 -7

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49798	35.190.80.1	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-10-02 20:04:45 UTC	34	OUT	OPTIONS /report/v3?s=OGOGeFWSn19SqrVwNNT8K9sAKmaYduksihsDgIIySTxooK5dCARAYwXyCoyq10UMV8hx%2FmayycAzkEqN2kUn50Y2XA8vru4mO1Ft0u7WJkr6kTAcTWm1aghu3WNK3EaDAtKeTT%2Bm5K8%3D HTTP/1.1 Host: a.nel.cloudflare.com Connection: keep-alive Origin: https://nezurexternal.sell.app Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-10-02 20:04:45 UTC	36	IN	HTTP/1.1 200 OK content-length: 0 access-control-max-age: 86400 access-control-allow-methods: OPTIONS, POST access-control-allow-origin: * access-control-allow-headers: content-type, content-length date: Mon, 02 Oct 2023 20:04:45 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49799	104.26.12.122	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-10-02 20:04:45 UTC	35	OUT	GET /cdn-cgi/images/browser-bar.png?1376755637 HTTP/1.1 Host: nezurexternal.sell.app Connection: keep-alive sec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://nezurexternal.sell.app/cdn-cgi/styles/cf.errors.css Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-10-02 20:04:45 UTC	37	IN	HTTP/1.1 200 OK Date: Mon, 02 Oct 2023 20:04:45 GMT Content-Type: image/png Content-Length: 715 Connection: close Last-Modified: Wed, 27 Sep 2023 11:52:30 GMT ETag: "6514177e-2cb" Server: cloudflare CF-RAY: 80ff8e67ce713b11-IAD X-Frame-Options: DENY X-Content-Type-Options: nosniff Expires: Mon, 02 Oct 2023 22:04:45 GMT Cache-Control: max-age=7200 Cache-Control: public Accept-Ranges: bytes
2023-10-02 20:04:45 UTC	37	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 03 c0 00 00 00 35 08 03 00 00 00 b9 bf 72 9e 00 00 00 5d 50 4c 54 45 00 00 00 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 eb eb eb 99 99 99 c4 c4 c4 f1 f1 f1 e1 e1 e1 cc cc cc d2 d2 d2 b5 b5 b5 ad ad ad 9d 9d 9d 9b 9b 9b d8 d8 d8 de de de c1 c1 c1 ba ba ba a8 a8 a8 ea ea ea e4 e4 e4 b1 b1 b1 a3 a3 a3 e7 e7 e7 ee ee ee c9 c9 c9 85 39 57 29 00 00 00 08 74 52 4e 53 00 fa d2 75 09 d7 d6 20 00 ef cb c3 00 00 02 15 49 44 41 54 78 da ec db e9 6e a4 30 10 04 e0 9e 23 89 0b c6 9c c3 cd cc fb 3f e6 66 d7 ac 8d 14 c8 49 c6 42 ae ef 67 a9 ff b6 ba 84 85 88 9c 4f c7 03 88 68 57 0e c7 d3 59 5e bd 3c 83 88 76 e8 f9 45 e4 fc 04 22 da a5 a7 b3 9c 40 44 3b 75 92 23 88 68 a7 8e c2 ef 57 44 bb 75 10 10 Data Ascii: PNGIHDR5r]PLTE9W)tRNSu IDATxn0#?fIBgOhWY^<vE"@D;u#hWDu

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49800	104.26.12.122	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-10-02 20:04:45 UTC	36	OUT	GET /cdn-cgi/images/cf-no-screenshot-error.png HTTP/1.1 Host: nezurexternal.sell.app Connection: keep-alive sec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://nezurexternal.sell.app/cdn-cgi/styles/cf.errors.css Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-10-02 20:04:45 UTC	38	IN	HTTP/1.1 200 OK Date: Mon, 02 Oct 2023 20:04:45 GMT Content-Type: image/png Content-Length: 3213 Connection: close Last-Modified: Wed, 27 Sep 2023 11:52:30 GMT ETag: "6514177e-c8d" Server: cloudflare CF-RAY: 80ff8e67dad49c6c-IAD X-Frame-Options: DENY X-Content-Type-Options: nosniff Expires: Mon, 02 Oct 2023 22:04:45 GMT Cache-Control: max-age=7200 Cache-Control: public Accept-Ranges: bytes
2023-10-02 20:04:45 UTC	38	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 b2 00 00 00 af 08 03 00 00 00 6e 1c 74 1f 00 00 02 d0 50 4c 54 45 00 00 00 ff ff ff ff 80 80 ff 55 55 bf 40 40 cc 33 33 d4 2a 2a db 24 49 bf 40 40 c6 39 39 cc 33 33 d1 2e 2e bf 2a 2a c4 27 27 c8 24 37 cc 33 33 bf 30 30 c3 2d 2d c6 2a 2a c9 28 28 bf 26 26 c2 24 31 c5 2e 2e bc 2c 2c bf 2a 2a c2 29 29 c4 27 27 bd 26 2f bf 24 2e c1 2c 2c c3 2a 2a bd 29 29 bf 28 28 c1 27 27 bf 2a 2a c1 29 29 c3 28 28 be 27 27 bf 26 26 c1 25 2c c2 24 2a be 2a 2a bf 29 29 c1 28 28 bc 27 27 be 26 26 bf 25 2a c1 24 2a bd 29 29 be 28 28 c0 26 26 bd 26 2a be 25 2a bf 24 29 bd 28 28 be 27 27 bf 26 26 c0 26 2a bd 25 29 be 24 28 bf 24 28 bc 27 27 bd 27 27 be 26 26 bc 25 29 bd 24 28 bf 27 27 bd 26 26 be 25 29 bf 25 28 bd 24 28 be Data Ascii: PNGIHDRntPLTEUU@@33$I@@9933..''$73300--((&&$1..,,))''&/$.,,))((''))((''&&%,$**))((''&&%$))((&&&%$)((''&&&%)$($(''''&&%)$(''&&%)%($(
2023-10-02 20:04:45 UTC	39	IN	Data Raw: ca cb cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db dc dd de df e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb fc fd fe 34 dd b2 71 00 00 08 7d 49 44 41 54 78 da ed 9d fb 5f 15 45 18 c6 e7 20 1c f1 88 02 e2 51 10 31 b3 bc e5 35 6f 69 9a a4 26 59 26 9a 5a 26 11 69 a2 e2 a5 d2 cc 22 af 05 6a 9a a2 96 9a 8a 22 9a e2 5d b9 69 89 a9 a0 88 5c 2d 4d 25 c5 6b 2a 06 04 bc ff 42 de 15 98 dd 79 67 76 76 f7 d4 e7 3c 3f cf 3e f3 65 d9 9d 79 e7 9d 77 e7 10 e2 94 53 4e fd cf 54 d7 db f5 bf 80 e9 d6 26 68 dc 9c d8 a4 13 e7 8b e1 81 ae 15 a4 ed 58 3e 7d 54 9f c6 8e 48 5b a7 67 c4 ba cc 52 50 d2 95 a4 e8 91 2d 1c 08 d7 d6 6f 76 5a 19 b0 55 b4 29 cc 21 b0 1b 86 24 fc 0d 78 fd 1e d5 bb 96 a9 bc 9e a1 fb cb 81 57 45 8b 7b 59 4c e2 75 e9 Data Ascii: 4q}IDATx_E Q15oi&Y&Z&i"j"]i\-M%k*Bygvv<?>eywSNT&hX>}TH[gRP-ovZU)!$xWE{YLu
2023-10-02 20:04:45 UTC	40	IN	Data Raw: 8b e8 91 cc 89 ac f0 09 f4 67 5c 26 19 0d 89 06 d9 f6 73 75 56 a9 f0 08 0e e0 31 39 6e 67 54 c5 4f b2 4a 8c f8 73 15 5c 1a 70 94 4d 66 32 88 5d 63 59 79 a4 3a 3c 01 c2 2a 25 17 7c a0 75 92 45 bc 81 67 af 8d ad 31 4a 26 31 58 87 2c c6 e7 b1 6e 1b ee 37 db cc d8 9b c0 7f 51 a1 58 7e 3d 0c 69 70 8a 71 10 8a 75 e3 a3 ac 30 83 19 3b 46 fd a9 58 4e 61 c7 3d cc d9 be 48 62 80 8d 6e ea 2d 37 e0 90 57 2b 5b a0 a2 2c 56 7d 45 95 7b b7 41 bd 04 d9 15 f7 6c 8c 52 76 98 81 b8 9c b5 93 6e 8d af d2 7c bd 3a b3 0f e6 db bc 72 95 97 bd 23 fb f2 42 c6 9e a9 75 73 b5 0b d6 aa 33 63 86 e7 24 35 03 f6 ba 9d 51 b5 46 19 05 54 bf 85 b3 9c 46 20 87 ab f5 c8 ae b4 eb c3 3f 6e fd a0 c2 3c 0e 41 5c d1 4c ad cb 17 45 43 aa 27 bb ed 14 ad 50 64 0e c6 04 bc 89 ea ff 58 e6 c1 01 67 7c Data Ascii: g\&suV19ngTOJs\pMf2]cYy:<*%\|uEg1J&1X,n7QX~=ipqu0;FXNa=Hbn-7W+[,V}E{AlRvn\|:r#Bus3c$5QFTF ?n<A\LEC'PdXg\|

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49801	35.190.80.1	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-10-02 20:04:45 UTC	41	OUT	POST /report/v3?s=OGOGeFWSn19SqrVwNNT8K9sAKmaYduksihsDgIIySTxooK5dCARAYwXyCoyq10UMV8hx%2FmayycAzkEqN2kUn50Y2XA8vru4mO1Ft0u7WJkr6kTAcTWm1aghu3WNK3EaDAtKeTT%2Bm5K8%3D HTTP/1.1 Host: a.nel.cloudflare.com Connection: keep-alive Content-Length: 432 Content-Type: application/reports+json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-10-02 20:04:45 UTC	42	OUT	Data Raw: 5b 7b 22 61 67 65 22 3a 30 2c 22 62 6f 64 79 22 3a 7b 22 65 6c 61 70 73 65 64 5f 74 69 6d 65 22 3a 36 31 34 2c 22 6d 65 74 68 6f 64 22 3a 22 47 45 54 22 2c 22 70 68 61 73 65 22 3a 22 61 70 70 6c 69 63 61 74 69 6f 6e 22 2c 22 70 72 6f 74 6f 63 6f 6c 22 3a 22 68 74 74 70 2f 31 2e 31 22 2c 22 72 65 66 65 72 72 65 72 22 3a 22 22 2c 22 73 61 6d 70 6c 69 6e 67 5f 66 72 61 63 74 69 6f 6e 22 3a 31 2e 30 2c 22 73 65 72 76 65 72 5f 69 70 22 3a 22 31 30 34 2e 32 36 2e 31 32 2e 31 32 32 22 2c 22 73 74 61 74 75 73 5f 63 6f 64 65 22 3a 34 30 33 2c 22 74 79 70 65 22 3a 22 68 74 74 70 2e 65 72 72 6f 72 22 7d 2c 22 74 79 70 65 22 3a 22 6e 65 74 77 6f 72 6b 2d 65 72 72 6f 72 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 6e 65 7a 75 72 65 78 74 65 72 6e 61 6c 2e 73 65 Data Ascii: [{"age":0,"body":{"elapsed_time":614,"method":"GET","phase":"application","protocol":"http/1.1","referrer":"","sampling_fraction":1.0,"server_ip":"104.26.12.122","status_code":403,"type":"http.error"},"type":"network-error","url":"https://nezurexternal.se
2023-10-02 20:04:45 UTC	43	IN	HTTP/1.1 200 OK Content-Length: 0 date: Mon, 02 Oct 2023 20:04:45 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49802	104.26.12.122	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-10-02 20:04:45 UTC	42	OUT	GET /favicon.ico HTTP/1.1 Host: nezurexternal.sell.app Connection: keep-alive sec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faq Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-10-02 20:04:45 UTC	44	IN	HTTP/1.1 403 Forbidden Date: Mon, 02 Oct 2023 20:04:45 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4511 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Mon, 02 Oct 2023 20:05:00 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=3y49IfOROrJ6ROX%2BFesMXv620No%2FsmuBRJRLLp27AOefsTSDXkjeMozJknjdyF%2BRnYPbr6FBxLBTslD1eS%2BW10zXZbCzLHruuSmeiXOL6DPvGsDbmxronU%2FiM2YPFm9TO3QODogO5zM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 80ff8e6aaa929c61-IAD alt-svc: h3=":443"; ma=86400
2023-10-02 20:04:45 UTC	44	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE
2023-10-02 20:04:45 UTC	45	IN	Data Raw: 22 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 5f 73 74 79 6c 65 73 2d 69 65 2d 63 73 73 27 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f Data Ascii: " href="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.coo
2023-10-02 20:04:45 UTC	46	IN	Data Raw: 2d 63 6f 6c 75 6d 6e 73 20 74 77 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 62 6c 6f 63 6b 65 64 5f 77 68 79 5f 68 65 61 64 6c 69 6e 65 22 3e 57 68 79 20 68 61 76 65 20 49 20 62 65 65 6e 20 62 6c 6f 63 6b 65 64 3f 3c 2f 68 32 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 62 6c 6f 63 6b 65 64 5f 77 68 79 5f 64 65 74 61 69 6c 22 3e 54 68 69 73 20 77 65 62 73 69 74 65 20 69 73 20 75 73 69 6e 67 20 61 20 73 65 63 75 72 69 74 79 20 73 65 72 76 69 63 65 20 74 6f 20 70 72 6f 74 65 63 74 20 69 74 73 65 6c 66 20 66 72 6f 6d 20 6f 6e 6c 69 6e 65 Data Ascii: -columns two"> <div class="cf-column"> <h2 data-translate="blocked_why_headline">Why have I been blocked?</h2> <p data-translate="blocked_why_detail">This website is using a security service to protect itself from online
2023-10-02 20:04:45 UTC	48	IN	Data Raw: 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 0a 20 20 20 20 20 20 59 6f 75 72 20 49 50 3a 0a 20 20 20 20 20 20 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 22 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 2d 62 74 6e 22 3e 43 6c 69 63 6b 20 74 6f 20 72 65 76 65 61 6c 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 68 69 64 64 65 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 3e 31 30 32 2e 31 36 35 2e 34 38 2e 38 34 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 Data Ascii: ck sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">102.165.48.84</span> <span class="cf-footer-separator sm:hidden">&

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.3	49804	104.26.12.122	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-10-02 20:04:45 UTC	43	OUT	GET /cdn-cgi/images/browser-bar.png?1376755637 HTTP/1.1 Host: nezurexternal.sell.app Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-10-02 20:04:46 UTC	49	IN	HTTP/1.1 200 OK Date: Mon, 02 Oct 2023 20:04:45 GMT Content-Type: image/png Content-Length: 715 Connection: close Last-Modified: Wed, 27 Sep 2023 11:52:30 GMT ETag: "6514177e-2cb" Server: cloudflare CF-RAY: 80ff8e6b69033b4a-IAD X-Frame-Options: DENY X-Content-Type-Options: nosniff Expires: Mon, 02 Oct 2023 22:04:45 GMT Cache-Control: max-age=7200 Cache-Control: public Accept-Ranges: bytes
2023-10-02 20:04:46 UTC	49	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 03 c0 00 00 00 35 08 03 00 00 00 b9 bf 72 9e 00 00 00 5d 50 4c 54 45 00 00 00 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 eb eb eb 99 99 99 c4 c4 c4 f1 f1 f1 e1 e1 e1 cc cc cc d2 d2 d2 b5 b5 b5 ad ad ad 9d 9d 9d 9b 9b 9b d8 d8 d8 de de de c1 c1 c1 ba ba ba a8 a8 a8 ea ea ea e4 e4 e4 b1 b1 b1 a3 a3 a3 e7 e7 e7 ee ee ee c9 c9 c9 85 39 57 29 00 00 00 08 74 52 4e 53 00 fa d2 75 09 d7 d6 20 00 ef cb c3 00 00 02 15 49 44 41 54 78 da ec db e9 6e a4 30 10 04 e0 9e 23 89 0b c6 9c c3 cd cc fb 3f e6 66 d7 ac 8d 14 c8 49 c6 42 ae ef 67 a9 ff b6 ba 84 85 88 9c 4f c7 03 88 68 57 0e c7 d3 59 5e bd 3c 83 88 76 e8 f9 45 e4 fc 04 22 da a5 a7 b3 9c 40 44 3b 75 92 23 88 68 a7 8e c2 ef 57 44 bb 75 10 10 Data Ascii: PNGIHDR5r]PLTE9W)tRNSu IDATxn0#?fIBgOhWY^<vE"@D;u#hWDu

Statistics

Click to jump to process

Memory Usage

• Nezur Launcher.exe
• chrome.exe
• chrome.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• Nezur Launcher.exe
• chrome.exe
• chrome.exe

Click to jump to process

Target ID:	0
Start time:	22:04:39
Start date:	02/10/2023
Path:	C:\Users\user\Desktop\Nezur Launcher.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\Nezur Launcher.exe
Imagebase:	0x2dacc530000
File size:	2'662'400 bytes
MD5 hash:	2E1C03948AD3F04F5BC464A51367D915
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.877327127.000002DACC7AC000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1275017533.000002DACE5E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	22:04:42
Start date:	02/10/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faq
Imagebase:	0x7ff65c530000
File size:	3'219'224 bytes
MD5 hash:	8D1C4713ACB7CC2AAAEE4477C58A80BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	22:04:42
Start date:	02/10/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1836 --field-trial-handle=1912,i,16295521840020286351,3782311374779597063,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff65c530000
File size:	3'219'224 bytes
MD5 hash:	8D1C4713ACB7CC2AAAEE4477C58A80BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	13
Total number of Limit Nodes:	0

Show Legend

Hide Nodes/Edges

Executed Functions

Function 00007FF9A3CB2EFE Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1278515963.00007FF9A3CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A3CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a3cb0000_Nezur Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8571fe05b71577b0e59a46c5321db63ca9e97fc0727d7f03a10a4cd4c43e85e
Instruction ID: ae911645e09187cc06f02e72de5b4fd32f96152f6ebd7183de24049279af8b81
Opcode Fuzzy Hash: d8571fe05b71577b0e59a46c5321db63ca9e97fc0727d7f03a10a4cd4c43e85e
Instruction Fuzzy Hash: 6A41583160D7890FD71EDA348C255A57BA5EB87210B15C2BFD4C7CB1E7EC68680687D1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A3CB2EB1 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1278515963.00007FF9A3CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A3CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a3cb0000_Nezur Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7294ec594bf891c24727a534f74f14b65b55b8ead8df8f885324eadfc3cb128
Instruction ID: d999e27f5c11d7ba8af5ad3f2c138be4a09858cd173de34a664cd2bee3d8d3b7
Opcode Fuzzy Hash: e7294ec594bf891c24727a534f74f14b65b55b8ead8df8f885324eadfc3cb128
Instruction Fuzzy Hash: A741573160D7890FD71E9A348C256B57BA5EB87210B15C2BED4CBCB1E7DC68680687D2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A3CB8005 Relevance: 1.7, APIs: 1, Instructions: 173
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 00007FF9A3CB8141

Memory Dump Source

Source File: 00000000.00000002.1278515963.00007FF9A3CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A3CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a3cb0000_Nezur Launcher.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 128d9ec2fd09af1a029e6ba46e2275fbc5c4325d1aa2cb20853b3b8a9a46e4b5
Instruction ID: cbf81c9aa91104ddafed47c648146194427f72d5d8a739a65821a492ddf4e6b9
Opcode Fuzzy Hash: 128d9ec2fd09af1a029e6ba46e2275fbc5c4325d1aa2cb20853b3b8a9a46e4b5
Instruction Fuzzy Hash: 8051E53180D7C84FD70ADBA898596A47FF1EF57320F0842EFD085C71A3DA64681AC752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A3CB20F5 Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1278515963.00007FF9A3CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A3CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a3cb0000_Nezur Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30cd2e439d24df519f97746ad002d3e6d3c9d6ab41291e9a9834edc547fc4f64
Instruction ID: 6294d85bd4b25503a3d4109b86f3f7deb7f1d171a8de3bceafb8db89e90113bf
Opcode Fuzzy Hash: 30cd2e439d24df519f97746ad002d3e6d3c9d6ab41291e9a9834edc547fc4f64
Instruction Fuzzy Hash: 7C41363190D7584FDB04EB6CA84AAFE7BE1EF96321F04417FD089D3192DE2464168791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A3CB1431 Relevance: 1.7, APIs: 1, Instructions: 165
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 00007FF9A3CB1541

Memory Dump Source

Source File: 00000000.00000002.1278515963.00007FF9A3CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A3CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a3cb0000_Nezur Launcher.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d697cd0942c3dedee043450d6fb1352545b3cbccad49a1cc3d0bffba5bbdbaa6
Instruction ID: d6401747069fc172f90a37113fbd3e2b75d5fc857ae750555d8653b12224fa58
Opcode Fuzzy Hash: d697cd0942c3dedee043450d6fb1352545b3cbccad49a1cc3d0bffba5bbdbaa6
Instruction Fuzzy Hash: 9C51F43190D7884FD70ACF6898556E57FF0EF57320F0942AFD089C75A3CA686856CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A3CB0743 Relevance: 1.6, APIs: 1, Instructions: 149
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 00007FF9A3CB1541

Memory Dump Source

Source File: 00000000.00000002.1278515963.00007FF9A3CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A3CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a3cb0000_Nezur Launcher.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ad2e63c7e489e50d327d7edfbd9352a049707e8bc45a2ec93bcacdc485430723
Instruction ID: 622e8db06966ee0ad8da926f2ab9df46cb2473d8e2803e70c37dd4c611fd9b98
Opcode Fuzzy Hash: ad2e63c7e489e50d327d7edfbd9352a049707e8bc45a2ec93bcacdc485430723
Instruction Fuzzy Hash: 8D41163190CB584FDB18EF68E84AAF9BBE0EF55321F04417FD049D3152CB6468568B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A3B9DE20 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1278258713.00007FF9A3B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A3B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a3b9d000_Nezur Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2e336f458d93f63ce970d3d32bb3f9db41844ae266f12c22bf647aa09486e7c
Instruction ID: 75e296edfc3f22f5d83e4d6fa954caaba54f2d6478c29c440383940cab4fecb2
Opcode Fuzzy Hash: b2e336f458d93f63ce970d3d32bb3f9db41844ae266f12c22bf647aa09486e7c
Instruction Fuzzy Hash: 0D41D03040EBC85FD756DB29D845A623FF0EF56320B1506DFD0C8CB1A7D665A846CBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF9A3CB5800 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1278515963.00007FF9A3CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A3CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a3cb0000_Nezur Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56766fcd0ac10fa2ca930e6b9d5553cb8e820ff7252516e39145e7893768a313
Instruction ID: b51ca25c0e194493986a5c1909f65833c7b65dc3da2efcf9fee11333ccf7b150
Opcode Fuzzy Hash: 56766fcd0ac10fa2ca930e6b9d5553cb8e820ff7252516e39145e7893768a313
Instruction Fuzzy Hash: 2071003250D7854FD30ACF688CA56A57BB1EF53310B1942EED4C6CB1A3EA68A907C752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A3CB5871 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1278515963.00007FF9A3CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A3CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a3cb0000_Nezur Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a1756bc4fe4ea2c462bf4c00323b0dbdd06f790f4218a24c5593ade8db66b2a
Instruction ID: 70b0172bd204f9a7630ca2a9f660ffd6ba3844bafd5a5a93b8ee89366573f84d
Opcode Fuzzy Hash: 6a1756bc4fe4ea2c462bf4c00323b0dbdd06f790f4218a24c5593ade8db66b2a
Instruction Fuzzy Hash: 3B61EF7150D7854FD30ACF748CA56A17FB1EF17310B1A82EED4C6CB1A3DA68A906C752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A3CB5692 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1278515963.00007FF9A3CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A3CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a3cb0000_Nezur Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebdabbf043f3addca1af18e431e4d83a89cb5f8ddc51ec960626fe546df3f35d
Instruction ID: 82feabca7d6f8f3181083256403d3403e8210e7f2f6796d9ec8bf9fbcc66b172
Opcode Fuzzy Hash: ebdabbf043f3addca1af18e431e4d83a89cb5f8ddc51ec960626fe546df3f35d
Instruction Fuzzy Hash: CD412B31A4D3894FE31E8A345C564B2BBA6DB8322071582FFC4D6CB0F7ED59680B8791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A3CB5788 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1278515963.00007FF9A3CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A3CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a3cb0000_Nezur Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20b25f15f128f8421ba774198024e8ff460eda050777d603f56de4d35ac1b832
Instruction ID: 970ac968cdc4e131cc915a38d82c6f8efcd7134ebf3f4b9b96bf84a52a8fe16d
Opcode Fuzzy Hash: 20b25f15f128f8421ba774198024e8ff460eda050777d603f56de4d35ac1b832
Instruction Fuzzy Hash: 7001F432B4C11D1B932C9D718C8B873F74FD3C3614712D23DE9A7C25A5DEA0A4279190

Uniqueness

Uniqueness Score: -1.00%

Source: Nezur Launcher.exe, 00000000.00000002.1275017533.000002DACE5E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/interface/uelxsuwblsmkokrpstoofjgjeoraa.xaml
Source: Nezur Launcher.exe, 00000000.00000002.1275017533.000002DACE5E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/interface/uelxsuwblsmkokrpstoofjgjeoraa.xamlp
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE701D000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://fontello.com
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp, Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE701D000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://fontello.comMaterial
Source: Nezur Launcher.exe, 00000000.00000002.1275017533.000002DACE5E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/interface/uelxsuwblsmkokrpstoofjgjeoraa.baml
Source: Nezur Launcher.exe, 00000000.00000002.1275017533.000002DACE5E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/interface/uelxsuwblsmkokrpstoofjgjeoraa.bamlp
Source: Nezur Launcher.exe, 00000000.00000002.1275017533.000002DACE5E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/interface/uelxsuwblsmkokrpstoofjgjeoraa.xaml
Source: Nezur Launcher.exe, 00000000.00000002.1275017533.000002DACE5E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/interface/uelxsuwblsmkokrpstoofjgjeoraa.xamlp
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFL
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLCopyright
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLMontserratSemiBold
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE6E20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.fontisto.com
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.google.com/fontshttp://www.hubertfischer.comThis
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE6E20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.kenangundogan.com
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE6E20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.kenangundogan.comhttp://www.kenangundogan.comMITMIThttps://opensource.org/licenses/mit-li
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.zkysky.com.ar/http://www.zkysky.com.ar/This
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE6E20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://fontawesome.com
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE6E20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://fontawesome.comhttps://fontawesome.comFont
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE6E20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/JetBrains/JetBrainsMono)JetBrains
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/JulietaUla/Montserrat)Montserrat
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/JulietaUla/Montserrat)MontserratSemiBold7.200;ULA
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/googlefonts/rubik)Rubik
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/googlefonts/rubik)RubikRegular2.102;NONE;Rubik-RegularRubik
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)Poppins
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)PoppinsBold
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)PoppinsBoldITFO;
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)PoppinsItalicITFO;
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)PoppinsRegularITFO;
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://indiantypefoundry.comThis
Source: Nezur Launcher.exe, 00000000.00000002.1275017533.000002DACE5E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nezur.net/
Source: Nezur Launcher.exe, 00000000.00000002.1275017533.000002DACE5E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nezur.net/F/Nezur
Source: Nezur Launcher.exe, 00000000.00000002.1275017533.000002DACE5E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nezur.net/keysys.html
Source: Nezur Launcher.exe, 00000000.00000002.1275017533.000002DACE5E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faq
Source: Nezur Launcher.exe, 00000000.00000002.1277345969.000002DAEB456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faq&
Source: Nezur Launcher.exe, 00000000.00000002.1277138787.000002DAEB2F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faq0
Source: Nezur Launcher.exe, 00000000.00000002.1277138787.000002DAEB2B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faq59
Source: Nezur Launcher.exe, 00000000.00000002.1277138787.000002DAEB2B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faqC4(0)
Source: Nezur Launcher.exe, 00000000.00000002.1277345969.000002DAEB456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faqP4
Source: Nezur Launcher.exe, 00000000.00000002.1277138787.000002DAEB2F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faql
Source: Nezur Launcher.exe, 00000000.00000002.1277345969.000002DAEB456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nezurexternal.sell.app/product/nezur-key-bypass-85-off?info=faqv
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE6E20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://opensource.org/licenses/mit-license.html
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp, Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE6E20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLhttps://scripts.sil.org/OFL
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE6E20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLhttps://scripts.sil.org/OFLJetBrains
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLhttps://scripts.sil.org/OFLPoppinsBlack
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLhttps://scripts.sil.org/OFLPoppinsExtraBold
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLhttps://scripts.sil.org/OFLPoppinsExtraLight
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLhttps://scripts.sil.org/OFLPoppinsLight
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLhttps://scripts.sil.org/OFLPoppinsMedium
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLhttps://scripts.sil.org/OFLPoppinsSemiBold
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLhttps://scripts.sil.org/OFLPoppinsThin
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLhttps://scripts.sil.org/OFLRubikMediumRubikRomanWeightItalicRoman
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE7135000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLhttps://scripts.sil.org/OFLRubikRomanWeightItalicRoman
Source: chromecache_122.2.dr, chromecache_120.2.dr	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: Nezur Launcher.exe, 00000000.00000002.1275483029.000002DAE6E20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.jetbrains.comhttps://www.jetbrains.comThis

Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 02 Oct 2023 20:04:44 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4511Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Mon, 02 Oct 2023 20:04:59 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OGOGeFWSn19SqrVwNNT8K9sAKmaYduksihsDgIIySTxooK5dCARAYwXyCoyq10UMV8hx%2FmayycAzkEqN2kUn50Y2XA8vru4mO1Ft0u7WJkr6kTAcTWm1aghu3WNK3EaDAtKeTT%2Bm5K8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 80ff8e641a14241a-IADalt-svc: h3=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 02 Oct 2023 20:04:45 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4511Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Mon, 02 Oct 2023 20:05:00 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=3y49IfOROrJ6ROX%2BFesMXv620No%2FsmuBRJRLLp27AOefsTSDXkjeMozJknjdyF%2BRnYPbr6FBxLBTslD1eS%2BW10zXZbCzLHruuSmeiXOL6DPvGsDbmxronU%2FiM2YPFm9TO3QODogO5zM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 80ff8e6aaa929c61-IADalt-svc: h3=":443"; ma=86400

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Nezur Launcher.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 119

Chrome Cache Entry: 120

Chrome Cache Entry: 121

Chrome Cache Entry: 122

Chrome Cache Entry: 123

Chrome Cache Entry: 124

Chrome Cache Entry: 125

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
Nezur Launcher.exe