Edit tour

Windows Analysis Report
T1#U52a9#U624b1.0.1.exe

Overview

General Information

Sample name:	T1#U52a9#U624b1.0.1.exe renamed because original name is a hash value
Original sample name:	T11.0.1.exe
Analysis ID:	1581935
MD5:	477d3b9ee775c048f96b450dd00ba490
SHA1:	81f1991882b1bf1cb4b169da6c94b772517ab1eb
SHA256:	799084320848500fef5673799157b94c1db7b74f9651ffe0af326051973cf490
Tags:	backdoorexesilverfoxwinosuser-zhuzhu0009
Infos:

Detection

Score:	46
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Suricata IDS alerts for network traffic

AI detected suspicious sample

Creates files in alternative data streams (ADS)

Found pyInstaller with non standard icon

Loading BitLocker PowerShell Module

Query firmware table information (likely to detect VMs)

Sigma detected: Suspicious File Creation In Uncommon AppData Folder

Suspicious powershell command line found

Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)

Uses Register-ScheduledTask to add task schedules

Uses cmd line tools excessively to alter registry or file data

Uses schtasks.exe or at.exe to add and modify task schedules

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Connects to many different domains

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Form action URLs do not match main URL

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

HTML body contains low number of good links

HTML page contains hidden javascript code

HTML title does not match URL

IP address seen in connection with other malware

Installs a global mouse hook

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file contains strange resources

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Too many similar processes found

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

T1#U52a9#U624b1.0.1.exe (PID: 2256 cmdline: "C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe" MD5: 477D3B9EE775C048F96B450DD00BA490)

T1#U52a9#U624b1.0.1.exe (PID: 5300 cmdline: "C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe" MD5: 477D3B9EE775C048F96B450DD00BA490)

powershell.exe (PID: 3004 cmdline: powershell -Command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\../LineInst.exe'; $Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date); $Principal = New-ScheduledTaskPrincipal -UserId 'user' -LogonType Interactive -RunLevel Highest; Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -TaskName 'MicrosoftEdgeUpdatesOnce' -Description 'MicrosoftEdgeUpdatesOnce once' -Force; Start-ScheduledTask -TaskName 'MicrosoftEdgeUpdatesOnce' " MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3568 cmdline: powershell -Command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\../WinHex.exe'; $Trigger = New-ScheduledTaskTrigger -AtLogon; $Principal = New-ScheduledTaskPrincipal -UserId 'user' -LogonType Interactive -RunLevel Highest; Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -TaskName 'MicrosoftEdgeUpdatesOnceMe' -Description 'MicrosoftEdgeUpdatesOnce once You' -Force; Start-ScheduledTask -TaskName 'MicrosoftEdgeUpdatesOnceMe' " MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1852 cmdline: C:\Windows\system32\cmd.exe /c "attrib +s +a +h C:\Users\user\AppData\LineInst.exe&&attrib +s +a +h C:\Users\user\AppData\WinHex.exe&&attrib +s +a +h C:\Users\user\AppData\SystemUpdate.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 7296 cmdline: attrib +s +a +h C:\Users\user\AppData\LineInst.exe MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

attrib.exe (PID: 7324 cmdline: attrib +s +a +h C:\Users\user\AppData\WinHex.exe MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

attrib.exe (PID: 7344 cmdline: attrib +s +a +h C:\Users\user\AppData\SystemUpdate.exe MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

WinHex.exe (PID: 7412 cmdline: C:\Users\user\AppData\Roaming\../WinHex.exe MD5: EFDC5DBA52333C0F5EEEDB0308FBE2D0)

WinHex.exe (PID: 7516 cmdline: C:\Users\user\AppData\Roaming\../WinHex.exe MD5: EFDC5DBA52333C0F5EEEDB0308FBE2D0)

cmd.exe (PID: 7588 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\SystemUpdate.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SystemUpdate.exe (PID: 7664 cmdline: C:\Users\user\AppData\SystemUpdate.exe MD5: 6BDDA8BA15F8F472FE7D065689E7D35D)

SystemUpdate.exe (PID: 7692 cmdline: C:\Users\user\AppData\SystemUpdate.exe MD5: 6BDDA8BA15F8F472FE7D065689E7D35D)

cmd.exe (PID: 7760 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7804 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 7968 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 8016 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 8072 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 8140 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 8172 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7304 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 6968 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7252 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 1860 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5308 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 7264 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7632 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 3448 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7816 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 7700 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4900 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 7856 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7888 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 1420 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4584 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 1700 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5800 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 7240 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5012 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 6432 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7916 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 1928 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 1352 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 4324 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6400 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 4412 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7680 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)

chrome.exe (PID: 6880 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=532930 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 1928 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2000 --field-trial-handle=2004,i,15154464915754026399,3836572238122876390,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cmd.exe (PID: 1460 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 900 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 6768 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7672 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 6880 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 3916 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 5348 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 1868 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 2724 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4572 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 2656 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5328 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 2764 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7640 cmdline: schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 7804 cmdline: C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 8172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

LineInst.exe (PID: 7420 cmdline: C:\Users\user\AppData\Roaming\../LineInst.exe MD5: AA2AD37BB74C05A49417E3D2F1BD89CE)

SetupHost.exe (PID: 7508 cmdline: "C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web MD5: A5D94F9587F97E9C674447447721B77F)

vdsldr.exe (PID: 7580 cmdline: C:\Windows\System32\vdsldr.exe -Embedding MD5: 472A05A6ADC167E9E5D2328AD98E3067)

chrome.exe (PID: 2188 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6588 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1936,i,15628791438985490340,2968363924654632854,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

svchost.exe (PID: 1712 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

chrome.exe (PID: 5288 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 180 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2032,i,4475010063348466522,12630456280325372382,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 4956 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6204 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1968,i,58944968473598260,14066714597260275696,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6732 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7788 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1988,i,2397862122718210806,12237267871317461974,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6008 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 2232 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 --field-trial-handle=2024,i,1043454292865957278,12392202252195058562,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5964 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 2200 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=2012,i,4017807827871240827,294443514438666825,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 3096 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7068 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 --field-trial-handle=1936,i,10198018738591083414,2483585144497047882,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7212 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 3868 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=2008,i,5238929235679066905,12786035706151781453,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7888 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7032 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1968,i,6157079858765921233,5568951314403497470,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5632 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 8172 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=2016,i,15539671429910762002,15161021274924515465,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5940 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 1644 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1148,i,2046368302589155641,3041774423784538269,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7216 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 3428 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=2012,i,11408168899703520178,4411795298762762360,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Sigma Signatures

System Summary

Sigma detected: Suspicious File Creation In Uncommon AppData Folder

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe, ProcessId: 5300, TargetFilename: C:\Users\user\AppData\LineInst.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\../LineInst.exe'; $Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date); $Principal = New-ScheduledTaskPrincipal -UserId 'user' -LogonType Interactive -RunLevel Highest; Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -TaskName 'MicrosoftEdgeUpdatesOnce' -Description 'MicrosoftEdgeUpdatesOnce once' -Force; Start-ScheduledTask -TaskName 'MicrosoftEdgeUpdatesOnce' ", CommandLine: powershell -Command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\../LineInst.exe'; $Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date); $Principal = New-ScheduledTaskPrincipal -UserId 'user' -LogonType Interactive -RunLevel Highest; Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -TaskName 'MicrosoftEdgeUpdatesOnce' -Description 'MicrosoftEdgeUpdatesOnce once' -Force; Start-ScheduledTask -TaskName 'MicrosoftEdgeUpdatesOnce' ", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe", ParentImage: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe, ParentProcessId: 5300, ParentProcessName: T1#U52a9#U624b1.0.1.exe, ProcessCommandLine: powershell -Command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\../LineInst.exe'; $Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date); $Principal = New-ScheduledTaskPrincipal -UserId 'user' -LogonType Interactive -RunLevel Highest; Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -TaskName 'MicrosoftEdgeUpdatesOnce' -Description 'MicrosoftEdgeUpdatesOnce once' -Force; Start-ScheduledTask -TaskName 'MicrosoftEdgeUpdatesOnce' ", ProcessId: 3004, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 1712, ProcessName: svchost.exe

Suricata Signatures

ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T13:55:37.140975+0100	2022112	1	Exploit Kit Activity Detected	192.168.2.4	50597	104.244.42.67	443	TCP
2024-12-29T13:55:50.214430+0100	2022112	1	Exploit Kit Activity Detected	192.168.2.4	50738	188.125.88.204	443	TCP
2024-12-29T13:55:54.258584+0100	2022112	1	Exploit Kit Activity Detected	192.168.2.4	50775	188.125.88.204	443	TCP

ET MALWARE Anonymous RAT CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T13:54:23.450046+0100	2052875	1	A Network Trojan was detected	192.168.2.4	49895	8.212.101.195	1122	TCP
2024-12-29T13:55:56.777888+0100	2052875	1	A Network Trojan was detected	192.168.2.4	49930	8.212.101.195	1122	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: Form action: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=ee272b19-4411-433f-8f28-5c13cb6fd407&redirect_uri=https%3A%2F%2Fsupport.microsoft.com%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20offline_access&response_mode=form_post&nonce=638710736717457756.MWZjNjZhMDctODcyNi00NGQzLTg0ZDYtYzRmMmQ3ZDNlMjJkMDNjY2QyMWMtZDAxMy00YTA5LWFiYjUtMDViZTlkMjVmMTZj&prompt=none&nopa=2&state=CfDJ8C0ohqf0LPdLoRrMGwogAwyGYJ1kpL8VWA1XJdehwCrsqQHal8lqsRL3GZOFV0hctBnOeaKNDklgfFnuCw17O3Vk1QHM4VOxl7k7RFBt13tI8p_SX9IGAyhkvmRAZwPHkRUVn5lgp4uoWUJMhFrpcT4fOka9ALXJV-STw-Wxm5EESLCddsViSqMiPz7vfIiyRYg953tt0AImasNV5fOzZLAY8lAKYggxgbizw_B_t3T-TSOYSSgy-nzwibjp6L8vpnC_mRynHZCXaDzr3ePB5Ru_M9F0_ZyrxPjOEEllJNavuY6NwcQLWBVrbeEhX0jjIauqrPqi-PY_0iVC7AQVY-ujiXreSbRF_oRcYHozyqO1&x-client-SKU=ID_NET6_0&x-client-ver=8.1.2.0&sso_reload=true microsoft microsoftonline
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: Form action: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=ee272b19-4411-433f-8f28-5c13cb6fd407&redirect_uri=https%3A%2F%2Fsupport.microsoft.com%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20offline_access&response_mode=form_post&nonce=638710736744076271.MjJiMWM5ZDQtYWJiMS00NjdlLWJiNWQtZTkyMDY5MDFjNTFlYjJkOWM0NDgtNjM0Yi00ODJhLThhYjYtNWU0NmQ2Y2Y5YzQx&prompt=none&nopa=2&state=CfDJ8C0ohqf0LPdLoRrMGwogAwzCX03PcRaz7F1d7cOQw4uMYrW7hlepjzqImkGr0eYdYR5XGcApbbLjjx9OooDuuSzwMA949xsIhUDoMyaGo5GtexKTYxv2TNQhw9qJ-AEq6OWbx44hkFry0tkLOSmdcp4XyCHEUkP_71v28mrzW06BenZkEeSsoD3ZRdgFhelg_ZutMTpICIqoRNxmWApcJ96SwUKZh63QdDQgUBiCR16qjfX3xdHlSjM2CsUC8hJXV_WxEWyw6rpjVGQBS5-naDCz5-qNCtjVNwdGx3UWQ2NS0RJxhgqFK7TR9565DMyUMq4eDuMK4fI8STeRZXTIf9hdwCqzPpDTJZDCxjpYoY2X&x-client-SKU=ID_NET6_0&x-client-ver=8.1.2.0&sso_reload=true microsoft microsoftonline
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: Form action: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=ee272b19-4411-433f-8f28-5c13cb6fd407&redirect_uri=https%3A%2F%2Fsupport.microsoft.com%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20offline_access&response_mode=form_post&nonce=638710736724917362.MGU0YmFjMzgtNjM5MS00MzcwLTkwNTQtMTgwNWIzYWM0NzJkYzMwZDhlOTktYTYzZS00ZDFiLThhN2EtZGJlNDgyZDg2OTMz&prompt=none&nopa=2&state=CfDJ8C0ohqf0LPdLoRrMGwogAwyyC6n7hQz5MtifNtwfHal2dQVffZuOhwg1_vqbAseeOeNfWs2Ekq8Z-nQlTQD2A7V-fdJbPe3xaoL-r-BLJcEYN_Pv6GOcAAT2TUYcXMuHtnH0PO_fMqIcr4eIlHIZSECKLX-OX24V_kDfOcIK2-bmzXWZ03jDLz-LKjv9LMlOoKd6WtVHqyRqzbvNB3UvdtSuXS4CCmKHoYl7aluVUVB_lqrpQ13tuxu7WrlQxRQzcTmCodZNoUYsg4jCVZ5N5B6RERljozGvdt2Sq9qX99s4B8OON0_8vvtGn4k27nK50kGQQw1NZKDWLDRjXUeZuhqti0D_QcueLm8upx9WYr0j&x-client-SKU=ID_NET6_0&x-client-ver=8.1.2.0&sso_reload=true microsoft microsoftonline
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: Form action: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=ee272b19-4411-433f-8f28-5c13cb6fd407&redirect_uri=https%3A%2F%2Fsupport.microsoft.com%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20offline_access&response_mode=form_post&nonce=638710736737765776.YTcxNzIyOWYtNGZlOC00MTkzLWExZjktMGI5MmJmODY4MjI1NzgzYzkzMmEtYjE1OC00M2IyLTg3NzctMjgxOTQ2MWIyMDQy&prompt=none&nopa=2&state=CfDJ8C0ohqf0LPdLoRrMGwogAwzgD3hjYIMV-dur1xpZtQr4XHqSD67V4Jun8vUlNUiVoHaH17kXeRWgcdiiuDxX1gEpJpv_tbeuqxnd9Fb-TxMm1LP3KHS8n7iag4gpLdb-0uCazsJKzGTnpq59Uu437w3R18ME6OCenbmRCO97OafNK7fusdlTfmA3izaoagWnuF_jORXnpQI-X9G0os19r6bVZwXHACQZkzJdcLMinFAHB5G4Zo_g0oQHFdYRAwqxqmOQGCno6uCTBxFVBrBvgbRXB4QAEmfXvJgZ_SljpglJbWl_wba8Do1rWkAHhFrachNrnmV4uiGGUW_aXbS-YQtX4MnStac1345Ya85M7dmP&x-client-SKU=ID_NET6_0&x-client-ver=8.1.2.0&sso_reload=true microsoft microsoftonline

Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: Number of links: 0
Source: https://www.microsoft.com/en-us/windows/windows-10-specifications	HTTP Parser: Number of links: 0

Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445

HTTP Parser: Base64 decoded: 1fc66a07-8726-44d3-84d6-c4f2d7d3e22d03ccd21c-d013-4a09-abb5-05be9d25f16c

Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: Title: Redirecting does not match URL
Source: https://www.microsoft.com/en-us/windows/windows-10-specifications	HTTP Parser: Title: Continue does not match URL

Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: Iframe src: https://login.live.com/Me.htm?v=3
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: Iframe src: https://login.live.com/Me.htm?v=3
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: Iframe src: https://login.live.com/Me.htm?v=3
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: Iframe src: https://login.live.com/Me.htm?v=3
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: Iframe src: https://login.live.com/Me.htm?v=3
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: Iframe src: https://login.live.com/Me.htm?v=3
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: Iframe src: https://login.live.com/Me.htm?v=3
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: Iframe src: https://login.live.com/Me.htm?v=3
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: Iframe src: https://login.live.com/Me.htm?v=3
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: Iframe src: https://login.live.com/Me.htm?v=3
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: Iframe src: https://login.live.com/Me.htm?v=3
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: Iframe src: https://login.live.com/Me.htm?v=3
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: Iframe src: https://login.live.com/Me.htm?v=3

Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No favicon
Source: https://www.microsoft.com/en-us/windows/windows-10-specifications	HTTP Parser: No favicon
Source: https://www.microsoft.com/en-us/windows/windows-10-specifications	HTTP Parser: No favicon
Source: https://www.microsoft.com/en-us/windows/windows-10-specifications	HTTP Parser: No favicon
Source: https://support.microsoft.com/en-US/windows/cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No favicon
Source: https://support.microsoft.com/en-US/windows/cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No favicon

Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="author".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="author".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="author".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="author".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="author".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="author".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="author".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="author".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="author".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="author".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="author".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="author".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="author".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="author".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="author".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="author".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="author".. found
Source: https://www.microsoft.com/en-us/windows/windows-10-specifications	HTTP Parser: No <meta name="author".. found

Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="copyright".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="copyright".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="copyright".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="copyright".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="copyright".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="copyright".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="copyright".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="copyright".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="copyright".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="copyright".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="copyright".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="copyright".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="copyright".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="copyright".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="copyright".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="copyright".. found
Source: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445	HTTP Parser: No <meta name="copyright".. found
Source: https://www.microsoft.com/en-us/windows/windows-10-specifications	HTTP Parser: No <meta name="copyright".. found

Source: C:\$Windows.~WS\Sources\SetupHost.exe	File created: C:\$Windows.~WS\Sources\Panther\setuperr.log
Source: C:\$Windows.~WS\Sources\SetupHost.exe	File created: C:\$Windows.~WS\Sources\Panther\setupact.log
Source: C:\$Windows.~WS\Sources\SetupHost.exe	File created: C:\$WINDOWS.~BT\Sources\Panther\setuperr.log
Source: C:\$Windows.~WS\Sources\SetupHost.exe	File created: C:\$WINDOWS.~BT\Sources\Panther\setupact.log

Source: C:\$Windows.~WS\Sources\SetupHost.exe

File created: C:\$Windows.~WS\Sources\Panther\Eula.rtf

Source: T1#U52a9#U624b1.0.1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a01\_work\6\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702622530.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1812752389.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1843026952.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\select.pdb source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706139679.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823292790.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1850173368.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SetupPrep.pdbGCTL source: T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1726683748.000001F6ECEC4000.00000004.00000020.00020000.00000000.sdmp, LineInst.exe, 0000000C.00000003.1792989511.0000000005926000.00000004.00000020.00020000.00000000.sdmp, LineInst.exe, 0000000C.00000003.1796484557.0000000007084000.00000004.00000020.00020000.00000000.sdmp, LineInst.exe, 0000000C.00000003.1796355273.0000000003717000.00000004.00000020.00020000.00000000.sdmp, LineInst.exe, 0000000C.00000000.1789614892.0000000000821000.00000020.00000001.01000000.0000000B.sdmp, LineInst.exe, 0000000C.00000003.1792878564.0000000003700000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_lzma.pdbMM source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703021480.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1815198590.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1843822452.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_bz2.pdb source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702755893.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1813354350.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1843278211.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_hashlib.pdb source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702887018.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1814913258.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1843629057.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SetupHost.pdbGCTL source: SetupHost.exe, 0000000D.00000000.1825359643.00000000006EC000.00000020.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_socket.pdb source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703440801.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1816198264.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1844015796.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SetupHost.pdb source: SetupHost.exe, 0000000D.00000000.1825359643.00000000006EC000.00000020.00000001.01000000.0000000D.sdmp
Source:	Binary string: SetupPrep.pdb source: T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1726683748.000001F6ECEC4000.00000004.00000020.00020000.00000000.sdmp, LineInst.exe, 0000000C.00000003.1792989511.0000000005926000.00000004.00000020.00020000.00000000.sdmp, LineInst.exe, 0000000C.00000003.1796484557.0000000007084000.00000004.00000020.00020000.00000000.sdmp, LineInst.exe, 0000000C.00000003.1796355273.0000000003717000.00000004.00000020.00020000.00000000.sdmp, LineInst.exe, 0000000C.00000000.1789614892.0000000000821000.00000020.00000001.01000000.0000000B.sdmp, LineInst.exe, 0000000C.00000003.1792878564.0000000003700000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\unicodedata.pdb source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706296950.00000173A903D000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823942492.000001EB0A292000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1850468835.00000245F38CD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_lzma.pdb source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703021480.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1815198590.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1843822452.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\WinHex.exe	File opened: z:
Source: C:\Users\user\AppData\WinHex.exe	File opened: x:
Source: C:\Users\user\AppData\WinHex.exe	File opened: v:
Source: C:\Users\user\AppData\WinHex.exe	File opened: t:
Source: C:\Users\user\AppData\WinHex.exe	File opened: r:
Source: C:\Users\user\AppData\WinHex.exe	File opened: p:
Source: C:\Users\user\AppData\WinHex.exe	File opened: n:
Source: C:\Users\user\AppData\WinHex.exe	File opened: l:
Source: C:\Users\user\AppData\WinHex.exe	File opened: j:
Source: C:\Users\user\AppData\WinHex.exe	File opened: h:
Source: C:\Users\user\AppData\WinHex.exe	File opened: f:
Source: C:\Users\user\AppData\WinHex.exe	File opened: b:
Source: C:\Users\user\AppData\WinHex.exe	File opened: y:
Source: C:\Users\user\AppData\WinHex.exe	File opened: w:
Source: C:\Users\user\AppData\WinHex.exe	File opened: u:
Source: C:\Users\user\AppData\WinHex.exe	File opened: s:
Source: C:\Users\user\AppData\WinHex.exe	File opened: q:
Source: C:\Users\user\AppData\WinHex.exe	File opened: o:
Source: C:\Users\user\AppData\WinHex.exe	File opened: m:
Source: C:\Users\user\AppData\WinHex.exe	File opened: k:
Source: C:\Users\user\AppData\WinHex.exe	File opened: i:
Source: C:\Users\user\AppData\WinHex.exe	File opened: g:
Source: C:\Users\user\AppData\WinHex.exe	File opened: e:
Source: C:\Windows\System32\svchost.exe	File opened: c:
Source: C:\Users\user\AppData\WinHex.exe	File opened: [:

Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1F6714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF77B1F6714
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B2009B4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF77B2009B4
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1E7820 FindFirstFileExW,FindClose,	0_2_00007FF77B1E7820
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1F6714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF77B1F6714

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49895 -> 8.212.101.195:1122
Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49930 -> 8.212.101.195:1122

Source: unknown

Network traffic detected: DNS query count 35

Source: global traffic

TCP traffic: 192.168.2.4:49895 -> 8.212.101.195:1122

Source: Joe Sandbox View	IP Address: 91.228.74.200 91.228.74.200
Source: Joe Sandbox View	IP Address: 54.154.234.207 54.154.234.207
Source: Joe Sandbox View	IP Address: 63.140.62.222 63.140.62.222

Source: Network traffic	Suricata IDS: 2022112 - Severity 1 - ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015 : 192.168.2.4:50597 -> 104.244.42.67:443
Source: Network traffic	Suricata IDS: 2022112 - Severity 1 - ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015 : 192.168.2.4:50775 -> 188.125.88.204:443
Source: Network traffic	Suricata IDS: 2022112 - Severity 1 - ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015 : 192.168.2.4:50738 -> 188.125.88.204:443

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.168.102
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.168.102
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.168.117
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.168.117
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 8.212.101.195

Source: global traffic	HTTP traffic detected: GET /id?d_visid_ver=4.4.0&d_fieldgroup=MC&d_rtbd=json&d_ver=2&d_orgid=EA76ADE95776D2EC7F000101%40AdobeOrg&d_nsid=0&ts=1735476923217 HTTP/1.1Host: dpm.demdex.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencodedAccept: /Origin: https://www.microsoft.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dest5.html?d_nsid=0 HTTP/1.1Host: mscom.demdex.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://www.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483
Source: global traffic	HTTP traffic detected: GET /id?d_visid_ver=4.4.0&d_fieldgroup=A&mcorgid=EA76ADE95776D2EC7F000101%40AdobeOrg&mid=81699440500871430363688403270984381028&ts=1735476925721 HTTP/1.1Host: msftenterprise.sc.omtrdc.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencodedAccept: /Origin: https://www.microsoft.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /id?d_visid_ver=4.4.0&d_fieldgroup=MC&d_rtbd=json&d_ver=2&d_orgid=EA76ADE95776D2EC7F000101%40AdobeOrg&d_nsid=0&ts=1735476923217 HTTP/1.1Host: dpm.demdex.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483
Source: global traffic	HTTP traffic detected: GET /id?d_visid_ver=4.4.0&d_fieldgroup=AAM&d_rtbd=json&d_ver=2&d_orgid=EA76ADE95776D2EC7F000101%40AdobeOrg&d_nsid=0&d_mid=81699440500871430363688403270984381028&d_blob=6G1ynYcLPuiQxYZrsz_pkqfLG9yMXBpb2zX5dvJdYQJzPXImdj0y&d_cid_ic=MC1%0163539283e80441aa9dfff040b635d212%012&ts=1735476928112 HTTP/1.1Host: dpm.demdex.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencodedAccept: /Origin: https://www.microsoft.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483
Source: global traffic	HTTP traffic detected: GET /id?d_visid_ver=4.4.0&d_fieldgroup=A&mcorgid=EA76ADE95776D2EC7F000101%40AdobeOrg&mid=81699440500871430363688403270984381028&ts=1735476925721 HTTP/1.1Host: msftenterprise.sc.omtrdc.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=411&dpuuid=Z3FGwQAAAIPC1wOJ HTTP/1.1Host: dpm.demdex.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485
Source: global traffic	HTTP traffic detected: GET /365868.gif?partner_uid=81980359511806646913714319239841733483 HTTP/1.1Host: idsync.rlcdn.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /getuid?https%3A%2F%2Fdpm.demdex.net%2Fibs%3Adpid%3D358%26dpuuid%3D%24UID HTTP/1.1Host: ib.adnxs.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /pixel?google_nid=adobe_dmp&google_cm&gdpr=0&gdpr_consent=&google_hm=ODE5ODAzNTk1MTE4MDY2NDY5MTM3MTQzMTkyMzk4NDE3MzM0ODM= HTTP/1.1Host: cm.g.doubleclick.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /1000.gif?memo=CKyqFhIxCi0IARCYEhomODE5ODAzNTk1MTE4MDY2NDY5MTM3MTQzMTkyMzk4NDE3MzM0ODMQABoNCMONxbsGEgUI6AcQAEIASgA HTTP/1.1Host: idsync.rlcdn.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: rlas3=7Duni9Is6QKMFg6L/mqucNLRKA4yKjzeBAXndzPoDRI=; pxrc=CAA=
Source: global traffic	HTTP traffic detected: GET /bounce?%2Fgetuid%3Fhttps%253A%252F%252Fdpm.demdex.net%252Fibs%253Adpid%253D358%2526dpuuid%253D%2524UID HTTP/1.1Host: ib.adnxs.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: XANDR_PANID=BZXHKZql-2YMKk-7V-hqTl77N6wfEL1GYZbNGSUayoQMp4BmPQQC6aHR3SlKXRTYDc0J4sq13dIHO3Fz88aU4HIql9-ITc2_buK9aDLmeZk.; receive-cookie-deprecation=1; uuid2=7919660468872361886
Source: global traffic	HTTP traffic detected: GET /id?d_visid_ver=4.4.0&d_fieldgroup=AAM&d_rtbd=json&d_ver=2&d_orgid=EA76ADE95776D2EC7F000101%40AdobeOrg&d_nsid=0&d_mid=81699440500871430363688403270984381028&d_blob=6G1ynYcLPuiQxYZrsz_pkqfLG9yMXBpb2zX5dvJdYQJzPXImdj0y&d_cid_ic=MC1%0163539283e80441aa9dfff040b635d212%012&ts=1735476928112 HTTP/1.1Host: dpm.demdex.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=477&dpuuid=779416a4c94a11361c21809cfac65e3347c1e49f6529a35cccf14d681b05f925b0da87c991749652 HTTP/1.1Host: dpm.demdex.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=358&dpuuid=7919660468872361886 HTTP/1.1Host: dpm.demdex.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=411&dpuuid=Z3FGwQAAAIPC1wOJ HTTP/1.1Host: dpm.demdex.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755
Source: global traffic	HTTP traffic detected: GET /pixel?google_nid=adobe_dmp&google_cm=&gdpr=0&gdpr_consent=&google_hm=ODE5ODAzNTk1MTE4MDY2NDY5MTM3MTQzMTkyMzk4NDE3MzM0ODM=&google_tc= HTTP/1.1Host: cm.g.doubleclick.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: test_cookie=CheckForPermission
Source: global traffic	HTTP traffic detected: GET /i/adsct?p_user_id=81980359511806646913714319239841733483&p_id=38594 HTTP/1.1Host: analytics.twitter.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=771&dpuuid=CAESEIv6GK4jHao86K5Dl2BpM8w&google_cver=1?gdpr=0&gdpr_consent= HTTP/1.1Host: dpm.demdex.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755\|1123-1-1735476933485
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=992&dpuuid=12uyav2s7qrz9 HTTP/1.1Host: dpm.demdex.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755\|1123-1-1735476933485\|903-1-1735476936048\|1175-1-1735476936456\|1957-1-1735476938094
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=782&dpuuid=Z3FGwQAAAIPC1wOJ HTTP/1.1Host: dpm.demdex.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755\|1123-1-1735476933485\|903-1-1735476936048\|1175-1-1735476936456\|1957-1-1735476938094\|3047-1-1735476938447
Source: global traffic	HTTP traffic detected: GET /track/cmf/generic?ttd_pid=aam&gdpr=0&gdpr_consent=&domain=www.microsoft.com&ttd_tpi=1 HTTP/1.1Host: match.adsrvr.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /pixel/p-vj4AYjBqd6VJ2.gif?idmatch=0&gdpr=0&gdpr_consent= HTTP/1.1Host: cms.quantserve.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /track/cmb/generic?ttd_pid=aam&gdpr=0&gdpr_consent=&domain=www.microsoft.com&ttd_tpi=1 HTTP/1.1Host: match.adsrvr.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: TDID=1583541f-3b09-4660-8f24-5ee8afc5ad60; TDCPM=CAEYBSgCMgsItoaM4tqE1D0QBTgB
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=477&dpuuid=779416a4c94a11361c21809cfac65e3347c1e49f6529a35cccf14d681b05f925b0da87c991749652 HTTP/1.1Host: dpm.demdex.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755\|1123-1-1735476933485\|903-1-1735476936048\|1175-1-1735476936456\|1957-1-1735476938094\|3047-1-1735476938447\|22054-1-1735476939491\|30646-1-1735476940463\|53196-1-1735476942217\|38117-1-1735476943312\|57282-1-1735476943579
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=358&dpuuid=7919660468872361886 HTTP/1.1Host: dpm.demdex.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755\|1123-1-1735476933485\|903-1-1735476936048\|1175-1-1735476936456\|1957-1-1735476938094\|3047-1-1735476938447\|22054-1-1735476939491\|30646-1-1735476940463\|53196-1-1735476942217\|38117-1-1735476943312\|57282-1-1735476943579
Source: global traffic	HTTP traffic detected: GET /i/adsct?p_user_id=81980359511806646913714319239841733483&p_id=38594 HTTP/1.1Host: analytics.twitter.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: personalization_id="v1_qINRniee1m6dmxnwCWM25w=="
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=1175&gdpr=0&dpuuid=rBnh2q4Ystq3HrTfrxj70qhItNm3GrLbrRp0Vyrd HTTP/1.1Host: dpm.demdex.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755\|1123-1-1735476933485\|903-1-1735476936048\|1175-1-1735476936456\|1957-1-1735476938094\|3047-1-1735476938447\|22054-1-1735476939491\|30646-1-1735476940463\|53196-1-1735476942217\|38117-1-1735476943312\|57282-1-1735476943579
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=771&dpuuid=CAESEIv6GK4jHao86K5Dl2BpM8w&google_cver=1?gdpr=0&gdpr_consent= HTTP/1.1Host: dpm.demdex.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755\|1123-1-1735476933485\|903-1-1735476936048\|1175-1-1735476936456\|1957-1-1735476938094\|3047-1-1735476938447\|22054-1-1735476939491\|30646-1-1735476940463\|53196-1-1735476942217\|38117-1-1735476943312\|57282-1-1735476943579\|49276-1-1735476944469\|72352-1-1735476945638
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=903&dpuuid=1583541f-3b09-4660-8f24-5ee8afc5ad60 HTTP/1.1Host: dpm.demdex.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755\|1123-1-1735476933485\|903-1-1735476936048\|1175-1-1735476936456\|1957-1-1735476938094\|3047-1-1735476938447\|22054-1-1735476939491\|30646-1-1735476940463\|53196-1-1735476942217\|38117-1-1735476943312\|57282-1-1735476943579\|49276-1-1735476944469
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=992&dpuuid=12uyav2s7qrz9 HTTP/1.1Host: dpm.demdex.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755\|1123-1-1735476933485\|903-1-1735476936048\|1175-1-1735476936456\|1957-1-1735476938094\|3047-1-1735476938447\|22054-1-1735476939491\|30646-1-1735476940463\|53196-1-1735476942217\|38117-1-1735476943312\|57282-1-1735476943579\|49276-1-1735476944469\|72352-1-1735476945638
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=782&dpuuid=Z3FGwQAAAIPC1wOJ HTTP/1.1Host: dpm.demdex.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755\|1123-1-1735476933485\|903-1-1735476936048\|1175-1-1735476936456\|1957-1-1735476938094\|3047-1-1735476938447\|22054-1-1735476939491\|30646-1-1735476940463\|53196-1-1735476942217\|38117-1-1735476943312\|57282-1-1735476943579\|49276-1-1735476944469\|72352-1-1735476945638
Source: global traffic	HTTP traffic detected: GET /i.match?p=b13&u=81980359511806646913714319239841733483&redirect=https%3A%2F%2Fdpm.demdex.net%2Fibs%3Adpid=22054&dpuuid=$TF_USER_ID_ENC$ HTTP/1.1Host: a.tribalfusion.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=1175&gdpr=0&dpuuid=rBnh2q4Ystq3HrTfrxj70qhItNm3GrLbrRp0Vyrd HTTP/1.1Host: dpm.demdex.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755\|1123-1-1735476933485\|903-1-1735476936048\|1175-1-1735476936456\|1957-1-1735476938094\|3047-1-1735476938447\|22054-1-1735476939491\|30646-1-1735476940463\|53196-1-1735476942217\|38117-1-1735476943312\|57282-1-1735476943579\|49276-1-1735476944469\|72352-1-1735476945638\|80742-1-1735476946460
Source: global traffic	HTTP traffic detected: GET /cms?partner_id=ADOBE&_hosted_id=81980359511806646913714319239841733483&gdpr=0&gdpr_consent= HTTP/1.1Host: cms.analytics.yahoo.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dmp/adobe/user?dd_uuid=81980359511806646913714319239841733483 HTTP/1.1Host: bttrack.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=1957&dpuuid=36FF432003A167C3345E564402D36635 HTTP/1.1Host: dpm.demdex.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755\|1123-1-1735476933485\|903-1-1735476936048\|1175-1-1735476936456\|1957-1-1735476938094\|3047-1-1735476938447\|22054-1-1735476939491\|30646-1-1735476940463\|53196-1-1735476942217\|38117-1-1735476943312\|57282-1-1735476943579\|49276-1-1735476944469\|72352-1-1735476945638\|80742-1-1735476946460\|81309-1-1735476947610
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=57282&dpuuid=2E914D972AFE82751AB32520679948A5 HTTP/1.1Host: dpm.demdex.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755\|1123-1-1735476933485\|903-1-1735476936048\|1175-1-1735476936456\|1957-1-1735476938094\|3047-1-1735476938447\|22054-1-1735476939491\|30646-1-1735476940463\|53196-1-1735476942217\|38117-1-1735476943312\|57282-1-1735476943579\|49276-1-1735476944469\|72352-1-1735476945638\|80742-1-1735476946460\|81309-1-1735476947610\|121998-1-1735476948528
Source: global traffic	HTTP traffic detected: GET /z/i.match?p=b13&u=81980359511806646913714319239841733483&redirect=https%3A%2F%2Fdpm.demdex.net%2Fibs%3Adpid=22054&dpuuid=$TF_USER_ID_ENC$ HTTP/1.1Host: s.tribalfusion.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ANON_ID=axnoeUsKBRxFmDqS86KRhBiEjlMTBbkp0YrJmv4s
Source: global traffic	HTTP traffic detected: GET /getuid?redir=%2F%2Fdpm.demdex.net%2Fibs%3Adpid%3D72352%26dpuuid%3D$UID%26gdpr%3D0%26gdpr_consent%3D&gdpr=0&gdpr_consent= HTTP/1.1Host: dmpsync.3lift.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /getuid?ld=1&gdpr=0&cmp_cs=&us_privacy=&redir=%2F%2Fdpm.demdex.net%2Fibs%3Adpid%3D72352%26dpuuid%3D%24UID%26gdpr%3D0%26gdpr_consent%3D HTTP/1.1Host: dmpsync.3lift.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: tluidp=1308204673543769676240; tluid=1308204673543769676240
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=3047&dpuuid=62072665D1BB57&gdpr=0&gdpr_consent= HTTP/1.1Host: dpm.demdex.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755\|1123-1-1735476933485\|903-1-1735476936048\|1175-1-1735476936456\|1957-1-1735476938094\|3047-1-1735476938447\|22054-1-1735476939491\|30646-1-1735476940463\|53196-1-1735476942217\|38117-1-1735476943312\|57282-1-1735476943579\|49276-1-1735476944469\|72352-1-1735476945638\|80742-1-1735476946460\|81309-1-1735476947610\|121998-1-1735476948528
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=49276&dpuuid=4751b02c-91a9-44d0-98c8-2ce193718c9d HTTP/1.1Host: dpm.demdex.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755\|1123-1-1735476933485\|903-1-1735476936048\|1175-1-1735476936456\|1957-1-1735476938094\|3047-1-1735476938447\|22054-1-1735476939491\|30646-1-1735476940463\|53196-1-1735476942217\|38117-1-1735476943312\|57282-1-1735476943579\|49276-1-1735476944469\|72352-1-1735476945638\|80742-1-1735476946460\|81309-1-1735476947610\|121998-1-1735476948528
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=22054 HTTP/1.1Host: dpm.demdex.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755\|1123-1-1735476933485\|903-1-1735476936048\|1175-1-1735476936456\|1957-1-1735476938094\|3047-1-1735476938447\|22054-1-1735476939491\|30646-1-1735476940463\|53196-1-1735476942217\|38117-1-1735476943312\|57282-1-1735476943579\|49276-1-1735476944469\|72352-1-1735476945638\|80742-1-1735476946460\|81309-1-1735476947610\|121998-1-1735476948528
Source: global traffic	HTTP traffic detected: GET /ups/58782/cms?partner_id=ADOBE&_hosted_id=81980359511806646913714319239841733483&gdpr=0&gdpr_consent= HTTP/1.1Host: ups.analytics.yahoo.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dv/sync?tid=6 HTTP/1.1Host: ag.innovid.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=72352&dpuuid=1308204673543769676240&gdpr=0&gdpr_consent= HTTP/1.1Host: dpm.demdex.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755\|1123-1-1735476933485\|903-1-1735476936048\|1175-1-1735476936456\|1957-1-1735476938094\|3047-1-1735476938447\|22054-1-1735476939491\|30646-1-1735476940463\|53196-1-1735476942217\|38117-1-1735476943312\|57282-1-1735476943579\|49276-1-1735476944469\|72352-1-1735476945638\|80742-1-1735476946460\|81309-1-1735476947610\|121998-1-1735476948528\|144228-1-1735476951021\|144229-1-1735476951595
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=903&dpuuid=1583541f-3b09-4660-8f24-5ee8afc5ad60 HTTP/1.1Host: dpm.demdex.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755\|1123-1-1735476933485\|903-1-1735476936048\|1175-1-1735476936456\|1957-1-1735476938094\|3047-1-1735476938447\|22054-1-1735476939491\|30646-1-1735476940463\|53196-1-1735476942217\|38117-1-1735476943312\|57282-1-1735476943579\|49276-1-1735476944469\|72352-1-1735476945638\|80742-1-1735476946460\|81309-1-1735476947610\|121998-1-1735476948528\|144228-1-1735476951021\|144229-1-1735476951595
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=1957&dpuuid=36FF432003A167C3345E564402D36635 HTTP/1.1Host: dpm.demdex.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755\|1123-1-1735476933485\|903-1-1735476936048\|1175-1-1735476936456\|1957-1-1735476938094\|3047-1-1735476938447\|22054-1-1735476939491\|30646-1-1735476940463\|53196-1-1735476942217\|38117-1-1735476943312\|57282-1-1735476943579\|49276-1-1735476944469\|72352-1-1735476945638\|80742-1-1735476946460\|81309-1-1735476947610\|121998-1-1735476948528\|144228-1-1735476951021\|144229-1-1735476951595
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=57282&dpuuid=2E914D972AFE82751AB32520679948A5 HTTP/1.1Host: dpm.demdex.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755\|1123-1-1735476933485\|903-1-1735476936048\|1175-1-1735476936456\|1957-1-1735476938094\|3047-1-1735476938447\|22054-1-1735476939491\|30646-1-1735476940463\|53196-1-1735476942217\|38117-1-1735476943312\|57282-1-1735476943579\|49276-1-1735476944469\|72352-1-1735476945638\|80742-1-1735476946460\|81309-1-1735476947610\|121998-1-1735476948528\|144228-1-1735476951021\|144229-1-1735476951595
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=80742&dpuuid=c8fd9785-6050-4726-a9f9-b46a4cd24059 HTTP/1.1Host: dpm.demdex.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755\|1123-1-1735476933485\|903-1-1735476936048\|1175-1-1735476936456\|1957-1-1735476938094\|3047-1-1735476938447\|22054-1-1735476939491\|30646-1-1735476940463\|53196-1-1735476942217\|38117-1-1735476943312\|57282-1-1735476943579\|49276-1-1735476944469\|72352-1-1735476945638\|80742-1-1735476946460\|81309-1-1735476947610\|121998-1-1735476948528\|144228-1-1735476951021\|144229-1-1735476951595\|144230-1-1735476952758
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=53196&dpuuid=Q7887633501042930475 HTTP/1.1Host: dpm.demdex.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755\|1123-1-1735476933485\|903-1-1735476936048\|1175-1-1735476936456\|1957-1-1735476938094\|3047-1-1735476938447\|22054-1-1735476939491\|30646-1-1735476940463\|53196-1-1735476942217\|38117-1-1735476943312\|57282-1-1735476943579\|49276-1-1735476944469\|72352-1-1735476945638\|80742-1-1735476946460\|81309-1-1735476947610\|121998-1-1735476948528\|144228-1-1735476951021\|144229-1-1735476951595\|144230-1-1735476952758
Source: global traffic	HTTP traffic detected: GET /ups/58782/cms?partner_id=ADOBE&_hosted_id=81980359511806646913714319239841733483&gdpr=0&gdpr_consent=&uid=81980359511806646913714319239841733483&verify=true HTTP/1.1Host: ups.analytics.yahoo.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: A3=d=AQABBNlGcWcCEP418rI5LxgkjDowQsO_U2kFEgEBAQGYcmd7Z9xH0iMA_eMAAA&S=AQAAAgTfjOpvEXGWYwlaL17iqbI
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=3047&dpuuid=62072665D1BB57&gdpr=0&gdpr_consent= HTTP/1.1Host: dpm.demdex.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755\|1123-1-1735476933485\|903-1-1735476936048\|1175-1-1735476936456\|1957-1-1735476938094\|3047-1-1735476938447\|22054-1-1735476939491\|30646-1-1735476940463\|53196-1-1735476942217\|38117-1-1735476943312\|57282-1-1735476943579\|49276-1-1735476944469\|72352-1-1735476945638\|80742-1-1735476946460\|81309-1-1735476947610\|121998-1-1735476948528\|144228-1-1735476951021\|144229-1-1735476951595\|144230-1-1735476952758\|144231-1-1735476953501
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=49276&dpuuid=4751b02c-91a9-44d0-98c8-2ce193718c9d HTTP/1.1Host: dpm.demdex.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755\|1123-1-1735476933485\|903-1-1735476936048\|1175-1-1735476936456\|1957-1-1735476938094\|3047-1-1735476938447\|22054-1-1735476939491\|30646-1-1735476940463\|53196-1-1735476942217\|38117-1-1735476943312\|57282-1-1735476943579\|49276-1-1735476944469\|72352-1-1735476945638\|80742-1-1735476946460\|81309-1-1735476947610\|121998-1-1735476948528\|144228-1-1735476951021\|144229-1-1735476951595\|144230-1-1735476952758\|144231-1-1735476953501
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=22054 HTTP/1.1Host: dpm.demdex.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755\|1123-1-1735476933485\|903-1-1735476936048\|1175-1-1735476936456\|1957-1-1735476938094\|3047-1-1735476938447\|22054-1-1735476939491\|30646-1-1735476940463\|53196-1-1735476942217\|38117-1-1735476943312\|57282-1-1735476943579\|49276-1-1735476944469\|72352-1-1735476945638\|80742-1-1735476946460\|81309-1-1735476947610\|121998-1-1735476948528\|144228-1-1735476951021\|144229-1-1735476951595\|144230-1-1735476952758\|144231-1-1735476953501
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=72352&dpuuid=1308204673543769676240&gdpr=0&gdpr_consent= HTTP/1.1Host: dpm.demdex.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755\|1123-1-1735476933485\|903-1-1735476936048\|1175-1-1735476936456\|1957-1-1735476938094\|3047-1-1735476938447\|22054-1-1735476939491\|30646-1-1735476940463\|53196-1-1735476942217\|38117-1-1735476943312\|57282-1-1735476943579\|49276-1-1735476944469\|72352-1-1735476945638\|80742-1-1735476946460\|81309-1-1735476947610\|121998-1-1735476948528\|144228-1-1735476951021\|144229-1-1735476951595\|144230-1-1735476952758\|144231-1-1735476953501
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=80742&dpuuid=c8fd9785-6050-4726-a9f9-b46a4cd24059 HTTP/1.1Host: dpm.demdex.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755\|1123-1-1735476933485\|903-1-1735476936048\|1175-1-1735476936456\|1957-1-1735476938094\|3047-1-1735476938447\|22054-1-1735476939491\|30646-1-1735476940463\|53196-1-1735476942217\|38117-1-1735476943312\|57282-1-1735476943579\|49276-1-1735476944469\|72352-1-1735476945638\|80742-1-1735476946460\|81309-1-1735476947610\|121998-1-1735476948528\|144228-1-1735476951021\|144229-1-1735476951595\|144230-1-1735476952758\|144231-1-1735476953501\|144232-1-1735476954457
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=53196&dpuuid=Q7887633501042930475 HTTP/1.1Host: dpm.demdex.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755\|1123-1-1735476933485\|903-1-1735476936048\|1175-1-1735476936456\|1957-1-1735476938094\|3047-1-1735476938447\|22054-1-1735476939491\|30646-1-1735476940463\|53196-1-1735476942217\|38117-1-1735476943312\|57282-1-1735476943579\|49276-1-1735476944469\|72352-1-1735476945638\|80742-1-1735476946460\|81309-1-1735476947610\|121998-1-1735476948528\|144228-1-1735476951021\|144229-1-1735476951595\|144230-1-1735476952758\|144231-1-1735476953501\|144232-1-1735476954457
Source: global traffic	HTTP traffic detected: GET /ibs:dpid=30646?dpuuid=y-DB98BwxE2pHQ359Tf8fodPg83iXpWfuDDDg-~A HTTP/1.1Host: dpm.demdex.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755\|1123-1-1735476933485\|903-1-1735476936048\|1175-1-1735476936456\|1957-1-1735476938094\|3047-1-1735476938447\|22054-1-1735476939491\|30646-1-1735476940463\|53196-1-1735476942217\|38117-1-1735476943312\|57282-1-1735476943579\|49276-1-1735476944469\|72352-1-1735476945638\|80742-1-1735476946460\|81309-1-1735476947610\|121998-1-1735476948528\|144228-1-1735476951021\|144229-1-1735476951595\|144230-1-1735476952758\|144231-1-1735476953501\|144232-1-1735476954457
Source: global traffic	HTTP traffic detected: GET /CookieSyncAdobe HTTP/1.1Host: rtb.adentifi.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mscom.demdex.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: c.s-microsoft.com
Source: global traffic	DNS traffic detected: DNS query: js.monitor.azure.com
Source: global traffic	DNS traffic detected: DNS query: aadcdn.msftauth.net
Source: global traffic	DNS traffic detected: DNS query: mem.gfx.ms
Source: global traffic	DNS traffic detected: DNS query: support.content.office.net
Source: global traffic	DNS traffic detected: DNS query: login.microsoftonline.com
Source: global traffic	DNS traffic detected: DNS query: assets.adobedtm.com
Source: global traffic	DNS traffic detected: DNS query: dpm.demdex.net
Source: global traffic	DNS traffic detected: DNS query: mscom.demdex.net
Source: global traffic	DNS traffic detected: DNS query: msftenterprise.sc.omtrdc.net
Source: global traffic	DNS traffic detected: DNS query: cm.everesttech.net
Source: global traffic	DNS traffic detected: DNS query: ib.adnxs.com
Source: global traffic	DNS traffic detected: DNS query: idsync.rlcdn.com
Source: global traffic	DNS traffic detected: DNS query: cm.g.doubleclick.net
Source: global traffic	DNS traffic detected: DNS query: rtd.tubemogul.com
Source: global traffic	DNS traffic detected: DNS query: idpix.media6degrees.com
Source: global traffic	DNS traffic detected: DNS query: analytics.twitter.com
Source: global traffic	DNS traffic detected: DNS query: rtd-tm.everesttech.net
Source: global traffic	DNS traffic detected: DNS query: match.adsrvr.org
Source: global traffic	DNS traffic detected: DNS query: cms.quantserve.com
Source: global traffic	DNS traffic detected: DNS query: servedby.flashtalking.com
Source: global traffic	DNS traffic detected: DNS query: a.tribalfusion.com
Source: global traffic	DNS traffic detected: DNS query: cms.analytics.yahoo.com
Source: global traffic	DNS traffic detected: DNS query: px.owneriq.net
Source: global traffic	DNS traffic detected: DNS query: jadserve.postrelease.com
Source: global traffic	DNS traffic detected: DNS query: ds.reson8.com
Source: global traffic	DNS traffic detected: DNS query: bttrack.com
Source: global traffic	DNS traffic detected: DNS query: s.tribalfusion.com
Source: global traffic	DNS traffic detected: DNS query: dmpsync.3lift.com
Source: global traffic	DNS traffic detected: DNS query: ag.innovid.com
Source: global traffic	DNS traffic detected: DNS query: ups.analytics.yahoo.com
Source: global traffic	DNS traffic detected: DNS query: rtb.adentifi.com
Source: global traffic	DNS traffic detected: DNS query: sync.crwdcntrl.net
Source: global traffic	DNS traffic detected: DNS query: sync-tm.everesttech.net

Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706296950.00000173A903D000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703021480.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706139679.00000173A903F000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702887018.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703976809.00000173A903B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703440801.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706296950.00000173A9033000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1705377381.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703976809.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706139679.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702755893.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1704803384.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703557945.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823292790.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1822267025.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1816401316.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1816198264.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1821331699.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1813354350.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1820471446.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1815198590.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706296950.00000173A903D000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703021480.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702887018.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703976809.00000173A903B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703440801.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706296950.00000173A9033000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1705377381.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703976809.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706139679.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702755893.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1704803384.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703557945.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823292790.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1822267025.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1816401316.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1816198264.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1821331699.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1813354350.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1820471446.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1815198590.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823942492.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703021480.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706139679.00000173A903F000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702887018.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703440801.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706296950.00000173A9033000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1705377381.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706139679.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702755893.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703557945.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823292790.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1822267025.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1816401316.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1816198264.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1813354350.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1815198590.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823942492.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1813594133.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823292790.000001EB0A295000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1814913258.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1850173368.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1843822452.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: powershell.exe, 00000004.00000002.1866941156.000002512A885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoftp
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703976809.00000173A903B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703976809.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1704803384.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1821331699.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1820471446.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1817110616.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1817110616.000001EB0A292000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1844723692.00000245F38CD000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1846178643.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1844723692.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702887018.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1814913258.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1843629057.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digi
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706296950.00000173A903D000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703021480.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702887018.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703976809.00000173A903B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703440801.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706296950.00000173A9033000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1705377381.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703976809.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706139679.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702755893.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1704803384.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703557945.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823292790.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1822267025.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1816401316.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1816198264.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1821331699.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1813354350.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1820471446.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1815198590.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823942492.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703021480.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706139679.00000173A903F000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702887018.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703440801.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706296950.00000173A9033000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1705377381.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706139679.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702755893.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703557945.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823292790.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1822267025.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1816401316.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1816198264.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1813354350.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1815198590.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823942492.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1813594133.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823292790.000001EB0A295000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1814913258.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1850173368.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1843822452.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706296950.00000173A903D000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703021480.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702887018.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703976809.00000173A903B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703440801.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706296950.00000173A9033000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1705377381.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703976809.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706139679.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702755893.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1704803384.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703557945.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823292790.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1822267025.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1816401316.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1816198264.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1821331699.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1813354350.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1820471446.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1815198590.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823942492.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703021480.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706139679.00000173A903F000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702887018.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703440801.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706296950.00000173A9033000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1705377381.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706139679.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702755893.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703557945.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823292790.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1822267025.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1816401316.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1816198264.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1813354350.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1815198590.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823942492.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1813594133.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823292790.000001EB0A295000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1814913258.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1850173368.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1843822452.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: SystemUpdate.exe, 00000012.00000003.1843629057.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digir
Source: WinHex.exe, 0000000B.00000003.1814913258.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digi~R
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706296950.00000173A903D000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703021480.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706139679.00000173A903F000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702887018.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703976809.00000173A903B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703440801.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706296950.00000173A9033000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1705377381.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703976809.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706139679.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702755893.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1704803384.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703557945.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823292790.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1822267025.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1816401316.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1816198264.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1821331699.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1813354350.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1820471446.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1815198590.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706296950.00000173A903D000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703021480.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702887018.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703976809.00000173A903B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703440801.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706296950.00000173A9033000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1705377381.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703976809.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706139679.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702755893.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1704803384.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703557945.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823292790.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1822267025.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1816401316.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1816198264.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1821331699.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1813354350.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1820471446.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1815198590.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823942492.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703021480.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706139679.00000173A903F000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702887018.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703440801.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706296950.00000173A9033000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1705377381.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706139679.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702755893.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703557945.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823292790.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1822267025.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1816401316.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1816198264.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1813354350.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1815198590.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823942492.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1813594133.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823292790.000001EB0A295000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1814913258.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1850173368.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1843822452.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: svchost.exe, 00000039.00000003.2435149189.0000015985E58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 00000039.00000003.2435149189.0000015985E58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: svchost.exe, 00000039.00000003.2435149189.0000015985E58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: svchost.exe, 00000039.00000003.2435149189.0000015985E58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000039.00000003.2435149189.0000015985E58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000039.00000003.2435149189.0000015985E58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000039.00000003.2435149189.0000015985E8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000039.00000003.2435149189.0000015985F47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000002.00000002.1882736475.0000026FBFCF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1957310258.000002513C583000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706296950.00000173A903D000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703021480.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706139679.00000173A903F000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702887018.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703976809.00000173A903B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703440801.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706296950.00000173A9033000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1705377381.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703976809.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706139679.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702755893.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1704803384.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703557945.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823292790.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1822267025.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1816401316.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1816198264.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1821331699.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1813354350.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1820471446.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1815198590.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706296950.00000173A903D000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703021480.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702887018.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703976809.00000173A903B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703440801.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706296950.00000173A9033000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1705377381.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703976809.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706139679.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702755893.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1704803384.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703557945.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823292790.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1822267025.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1816401316.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1816198264.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1821331699.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1813354350.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1820471446.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1815198590.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823942492.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703021480.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706139679.00000173A903F000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702887018.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703440801.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706296950.00000173A9033000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1705377381.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706139679.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702755893.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703557945.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823292790.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1822267025.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1816401316.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1816198264.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1813354350.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1815198590.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823942492.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1813594133.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823292790.000001EB0A295000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1814913258.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1850173368.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1843822452.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703976809.00000173A903B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703976809.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1704803384.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1821331699.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1820471446.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1817110616.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1817110616.000001EB0A292000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1844723692.00000245F38CD000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1846178643.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1844723692.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000004.00000002.1867366706.000002512C738000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1846925587.0000026FAFEA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1867366706.000002512C738000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.1846925587.0000026FAFC81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1867366706.000002512C511000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1846925587.0000026FAFEA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1867366706.000002512C738000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703976809.00000173A903B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703976809.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1704803384.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1821331699.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1820471446.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1817110616.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1817110616.000001EB0A292000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1844723692.00000245F38CD000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1846178643.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1844723692.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703976809.00000173A903B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703976809.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1704803384.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1821331699.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1820471446.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1817110616.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1817110616.000001EB0A292000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1844723692.00000245F38CD000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1846178643.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1844723692.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703976809.00000173A903B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703976809.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1704803384.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1821331699.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1820471446.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1817110616.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1817110616.000001EB0A292000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1844723692.00000245F38CD000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1846178643.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1844723692.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: powershell.exe, 00000004.00000002.1867366706.000002512C738000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000004.00000002.1975794345.0000025144A9F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.coo
Source: T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1755828370.000001F6E4452000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1755443946.000001F6E4452000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000002.1758988977.000001F6E4452000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1756154803.000001F6E4452000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.python.org/d
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706919277.00000173A9033000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1825196606.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1851565284.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1867345702.000001D545EEE000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1867589312.000001D545EEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.python.org/dev/peps/pep-0205/
Source: T1#U52a9#U624b1.0.1.exe, 00000001.00000002.1758674190.000001F6E41F0000.00000004.00001000.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1710459219.000001F6E244D000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000E.00000003.1829408407.000002B9E79B9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000E.00000003.1829474776.000002B9E79CD000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1865587018.000001D545EE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.python.org/download/releases/2.3/mro/.
Source: powershell.exe, 00000002.00000002.1846925587.0000026FAFC81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1867366706.000002512C511000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000004.00000002.1867366706.000002512C738000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000004.00000002.1957310258.000002513C583000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.1957310258.000002513C583000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.1957310258.000002513C583000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: svchost.exe, 00000039.00000003.2435149189.0000015985F02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 00000039.00000003.2435149189.0000015985E96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 00000039.00000003.2435149189.0000015985F02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 00000039.00000003.2435149189.0000015985EE3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000039.00000003.2435149189.0000015985F34000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000039.00000003.2435149189.0000015985F47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000039.00000003.2435149189.0000015985F02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: powershell.exe, 00000004.00000002.1867366706.000002512C738000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1718087522.000001F6E2426000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1710025061.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709463356.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709298564.000001F6E2436000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709347432.000001F6E2402000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709311079.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000002.1757804161.000001F6E23E4000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709590975.000001F6E2402000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709463356.000001F6E2402000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1756004944.000001F6E4403000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1756716169.000001F6E23E3000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709730001.000001F6E2402000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709285474.000001F6E243B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709913441.000001F6E23FF000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709913441.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709347432.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1755741956.000001F6E23B6000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1755934980.000001F6E23DF000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709590975.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000002.1758961819.000001F6E4404000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709198904.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709298564.000001F6E2436000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L6
Source: T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1710025061.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709463356.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709311079.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000002.1758367361.000001F6E3C50000.00000004.00001000.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709913441.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709347432.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709590975.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709198904.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000E.00000003.1827855767.000002B9E799E000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000E.00000003.1828277109.000002B9E799E000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000E.00000003.1828101951.000002B9E799E000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000E.00000003.1828556196.000002B9E799E000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000E.00000003.1828023488.000002B9E799E000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000E.00000003.1829089256.000002B9E799E000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000E.00000003.1828002573.000002B9E79A4000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000E.00000003.1828823515.000002B9E799E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: SystemUpdate.exe, 00000013.00000003.1855864818.000001D545E9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1718087522.000001F6E2426000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1710025061.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709463356.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709298564.000001F6E2436000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709347432.000001F6E2402000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709311079.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000002.1757804161.000001F6E23E4000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709590975.000001F6E2402000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709463356.000001F6E2402000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1756004944.000001F6E4403000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1756716169.000001F6E23E3000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709730001.000001F6E2402000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709285474.000001F6E243B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709913441.000001F6E23FF000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709913441.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709347432.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1755741956.000001F6E23B6000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1755934980.000001F6E23DF000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709590975.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1756154803.000001F6E4407000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709198904.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1718087522.000001F6E2426000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1710025061.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709463356.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709298564.000001F6E2436000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709347432.000001F6E2402000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709311079.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000002.1757804161.000001F6E23E4000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709590975.000001F6E2402000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709463356.000001F6E2402000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1756004944.000001F6E4403000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1756716169.000001F6E23E3000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709730001.000001F6E2402000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709285474.000001F6E243B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709913441.000001F6E23FF000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709913441.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709347432.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1755741956.000001F6E23B6000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1755934980.000001F6E23DF000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709590975.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000002.1758961819.000001F6E4404000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709198904.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: powershell.exe, 00000002.00000002.1882736475.0000026FBFCF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1957310258.000002513C583000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 00000039.00000003.2435149189.0000015985F02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 00000039.00000003.2435149189.0000015985E96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706296950.00000173A903D000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703021480.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706139679.00000173A903F000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702887018.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703976809.00000173A903B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703440801.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706296950.00000173A9033000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1705377381.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703976809.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706139679.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702755893.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1704803384.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703557945.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823292790.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1822267025.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1816401316.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1816198264.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1821331699.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1813354350.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1820471446.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1815198590.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1704803384.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1821331699.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1846178643.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.openssl.org/H

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50699
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50618
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50738
Source: unknown	Network traffic detected: HTTP traffic on port 50690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50691
Source: unknown	Network traffic detected: HTTP traffic on port 50489 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50698
Source: unknown	Network traffic detected: HTTP traffic on port 50815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50582
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50583
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50586
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50587
Source: unknown	Network traffic detected: HTTP traffic on port 50761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50667 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50537 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50636
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50756
Source: unknown	Network traffic detected: HTTP traffic on port 50550 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50519
Source: unknown	Network traffic detected: HTTP traffic on port 50422 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50639
Source: unknown	Network traffic detected: HTTP traffic on port 50558 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50597
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50751
Source: unknown	Network traffic detected: HTTP traffic on port 50708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50511
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50510
Source: unknown	Network traffic detected: HTTP traffic on port 50586 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 50660 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50801
Source: unknown	Network traffic detected: HTTP traffic on port 50530 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50760
Source: unknown	Network traffic detected: HTTP traffic on port 50784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50597 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50489
Source: unknown	Network traffic detected: HTTP traffic on port 50566 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50535 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 50510 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50583 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50808
Source: unknown	Network traffic detected: HTTP traffic on port 50753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50535
Source: unknown	Network traffic detected: HTTP traffic on port 50802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50537
Source: unknown	Network traffic detected: HTTP traffic on port 50636 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50539
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50530
Source: unknown	Network traffic detected: HTTP traffic on port 50760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50774
Source: unknown	Network traffic detected: HTTP traffic on port 50811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50542 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50667
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50822
Source: unknown	Network traffic detected: HTTP traffic on port 50822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50618 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50639 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50660
Source: unknown	Network traffic detected: HTTP traffic on port 50786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50542
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50422
Source: unknown	Network traffic detected: HTTP traffic on port 50285 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50708
Source: unknown	Network traffic detected: HTTP traffic on port 50680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50709
Source: unknown	Network traffic detected: HTTP traffic on port 50713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50559
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50558
Source: unknown	Network traffic detected: HTTP traffic on port 50823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50714
Source: unknown	Network traffic detected: HTTP traffic on port 50800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50790
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50550
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50796
Source: unknown	Network traffic detected: HTTP traffic on port 50519 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50582 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50511 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50285
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50680
Source: unknown	Network traffic detected: HTTP traffic on port 50559 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50566
Source: unknown	Network traffic detected: HTTP traffic on port 50539 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50587 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50690
Source: unknown	Network traffic detected: HTTP traffic on port 50774 -> 443

Source: C:\Users\user\AppData\WinHex.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Source: schtasks.exe	Process created: 49
Source: cmd.exe	Process created: 52

Source: C:\Users\user\AppData\LineInst.exe	File created: C:\Windows\Logs\MoSetup\BlueBox.log			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\$Windows.~WS\Sources\SetupHost.exe

File deleted: C:\Windows\Panther\DlTel.etl

Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1E6780	0_2_00007FF77B1E6780
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B204E20	0_2_00007FF77B204E20
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1F6714	0_2_00007FF77B1F6714
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B205D6C	0_2_00007FF77B205D6C
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1E1B90	0_2_00007FF77B1E1B90
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B208B68	0_2_00007FF77B208B68
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1F13C4	0_2_00007FF77B1F13C4
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1F0BA4	0_2_00007FF77B1F0BA4
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1F8BA0	0_2_00007FF77B1F8BA0
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1FCC04	0_2_00007FF77B1FCC04
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1F2C04	0_2_00007FF77B1F2C04
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1F11C0	0_2_00007FF77B1F11C0
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B2031CC	0_2_00007FF77B2031CC
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1F09A0	0_2_00007FF77B1F09A0
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B2009B4	0_2_00007FF77B2009B4
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1FFA08	0_2_00007FF77B1FFA08
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B205820	0_2_00007FF77B205820
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1F6714	0_2_00007FF77B1F6714
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1E80A0	0_2_00007FF77B1E80A0
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B20509C	0_2_00007FF77B20509C
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1FD098	0_2_00007FF77B1FD098
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1F4F50	0_2_00007FF77B1F4F50
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1FD718	0_2_00007FF77B1FD718
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1F6F98	0_2_00007FF77B1F6F98
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1F0FB4	0_2_00007FF77B1F0FB4
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1F2800	0_2_00007FF77B1F2800
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1F1E70	0_2_00007FF77B1F1E70
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B202D30	0_2_00007FF77B202D30
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1FFA08	0_2_00007FF77B1FFA08
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1F6560	0_2_00007FF77B1F6560
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1F0DB0	0_2_00007FF77B1F0DB0

Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe

Code function: String function: 00007FF77B1E2770 appears 41 times

Source: LineInst.exe.1.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: MediaSetupUIMgr.dll.12.dr	Static PE information: Resource name: RT_STRING type: VAX-order2 68k Blit mpx/mux executable
Source: MediaSetupUIMgr.dll.12.dr	Static PE information: Resource name: RT_STRING type: MIPSEB-LE MIPS-III ECOFF executable - version 3.-82
Source: MediaSetupUIMgr.dll.12.dr	Static PE information: Resource name: RT_STRING type: basic-16 executable not stripped
Source: MediaSetupUIMgr.dll.12.dr	Static PE information: Resource name: RT_STRING type: PDP-11 pure executable not stripped
Source: SetupCore.dll.12.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: SetupCore.dll.12.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: LineInst.exe.1.dr

Static PE information: Resource name: RT_STRING type: GTA2 binary mission script (SCR), Industrial area (bil)

Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703021480.00000173A9032000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs T1#U52a9#U624b1.0.1.exe
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702622530.00000173A9032000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs T1#U52a9#U624b1.0.1.exe
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702887018.00000173A9032000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs T1#U52a9#U624b1.0.1.exe
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703440801.00000173A9032000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs T1#U52a9#U624b1.0.1.exe
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706296950.00000173A9033000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs T1#U52a9#U624b1.0.1.exe
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706139679.00000173A9032000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs T1#U52a9#U624b1.0.1.exe
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702755893.00000173A9032000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs T1#U52a9#U624b1.0.1.exe
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1704803384.00000173A9032000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs T1#U52a9#U624b1.0.1.exe
Source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703557945.00000173A9032000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs T1#U52a9#U624b1.0.1.exe

Source: classification engine

Classification label: mal46.evad.winEXE@262/400@106/27

Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe

Code function: 0_2_00007FF77B1E74B0 GetLastError,FormatMessageW,WideCharToMultiByte,

0_2_00007FF77B1E74B0

Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe

File created: C:\Users\user\AppData\LineInst.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7188:120:WilError_03
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\SetupLog
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5268:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7976:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6456:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7768:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7604:120:WilError_03
Source: C:\Users\user\AppData\WinHex.exe	Mutant created: \Sessions\1\BaseNamedObjects\2024.12.20
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_03
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\WdsSetupLogInit
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4996:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3300:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2936:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5220:120:WilError_03
Source: C:\Users\user\AppData\LineInst.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Microsoft.Windows.Websetup
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7916:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4312:120:WilError_03
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\OneSettingQueryMutex+WSD+Setup360
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1244:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4176:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1992:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2804:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8080:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2912:120:WilError_03

Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI22562

Jump to behavior

Source: T1#U52a9#U624b1.0.1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\$Windows.~WS\Sources\SetupHost.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Name, Caption, Architecture, MaxClockSpeed FROM Win32_Processor

Source: C:\$Windows.~WS\Sources\SetupHost.exe

File read: C:\Windows\win.ini

Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe

File read: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe "C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe"
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Process created: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe "C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe"
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\../LineInst.exe'; $Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date); $Principal = New-ScheduledTaskPrincipal -UserId 'user' -LogonType Interactive -RunLevel Highest; Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -TaskName 'MicrosoftEdgeUpdatesOnce' -Description 'MicrosoftEdgeUpdatesOnce once' -Force; Start-ScheduledTask -TaskName 'MicrosoftEdgeUpdatesOnce' "
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\../WinHex.exe'; $Trigger = New-ScheduledTaskTrigger -AtLogon; $Principal = New-ScheduledTaskPrincipal -UserId 'user' -LogonType Interactive -RunLevel Highest; Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -TaskName 'MicrosoftEdgeUpdatesOnceMe' -Description 'MicrosoftEdgeUpdatesOnce once You' -Force; Start-ScheduledTask -TaskName 'MicrosoftEdgeUpdatesOnceMe' "
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +s +a +h C:\Users\user\AppData\LineInst.exe&&attrib +s +a +h C:\Users\user\AppData\WinHex.exe&&attrib +s +a +h C:\Users\user\AppData\SystemUpdate.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +a +h C:\Users\user\AppData\LineInst.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +a +h C:\Users\user\AppData\WinHex.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +a +h C:\Users\user\AppData\SystemUpdate.exe
Source: unknown	Process created: C:\Users\user\AppData\WinHex.exe C:\Users\user\AppData\Roaming\../WinHex.exe
Source: unknown	Process created: C:\Users\user\AppData\LineInst.exe C:\Users\user\AppData\Roaming\../LineInst.exe
Source: C:\Users\user\AppData\LineInst.exe	Process created: C:\$Windows.~WS\Sources\SetupHost.exe "C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web
Source: C:\Users\user\AppData\WinHex.exe	Process created: C:\Users\user\AppData\WinHex.exe C:\Users\user\AppData\Roaming\../WinHex.exe
Source: unknown	Process created: C:\Windows\System32\vdsldr.exe C:\Windows\System32\vdsldr.exe -Embedding
Source: C:\Users\user\AppData\WinHex.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\SystemUpdate.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\SystemUpdate.exe C:\Users\user\AppData\SystemUpdate.exe
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Users\user\AppData\SystemUpdate.exe C:\Users\user\AppData\SystemUpdate.exe
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1936,i,15628791438985490340,2968363924654632854,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2032,i,4475010063348466522,12630456280325372382,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1968,i,58944968473598260,14066714597260275696,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1988,i,2397862122718210806,12237267871317461974,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 --field-trial-handle=2024,i,1043454292865957278,12392202252195058562,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=2012,i,4017807827871240827,294443514438666825,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=532930
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2000 --field-trial-handle=2004,i,15154464915754026399,3836572238122876390,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 --field-trial-handle=1936,i,10198018738591083414,2483585144497047882,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=2008,i,5238929235679066905,12786035706151781453,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1968,i,6157079858765921233,5568951314403497470,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=2016,i,15539671429910762002,15161021274924515465,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1148,i,2046368302589155641,3041774423784538269,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=2012,i,11408168899703520178,4411795298762762360,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Process created: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe "C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe"	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\../LineInst.exe'; $Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date); $Principal = New-ScheduledTaskPrincipal -UserId 'user' -LogonType Interactive -RunLevel Highest; Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -TaskName 'MicrosoftEdgeUpdatesOnce' -Description 'MicrosoftEdgeUpdatesOnce once' -Force; Start-ScheduledTask -TaskName 'MicrosoftEdgeUpdatesOnce' "	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\../WinHex.exe'; $Trigger = New-ScheduledTaskTrigger -AtLogon; $Principal = New-ScheduledTaskPrincipal -UserId 'user' -LogonType Interactive -RunLevel Highest; Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -TaskName 'MicrosoftEdgeUpdatesOnceMe' -Description 'MicrosoftEdgeUpdatesOnce once You' -Force; Start-ScheduledTask -TaskName 'MicrosoftEdgeUpdatesOnceMe' "	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +s +a +h C:\Users\user\AppData\LineInst.exe&&attrib +s +a +h C:\Users\user\AppData\WinHex.exe&&attrib +s +a +h C:\Users\user\AppData\SystemUpdate.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +a +h C:\Users\user\AppData\LineInst.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +a +h C:\Users\user\AppData\WinHex.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +a +h C:\Users\user\AppData\SystemUpdate.exe	Jump to behavior
Source: C:\Users\user\AppData\WinHex.exe	Process created: C:\Users\user\AppData\WinHex.exe C:\Users\user\AppData\Roaming\../WinHex.exe	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Process created: C:\$Windows.~WS\Sources\SetupHost.exe "C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web	Jump to behavior
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\WinHex.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\SystemUpdate.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\SystemUpdate.exe C:\Users\user\AppData\SystemUpdate.exe
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Users\user\AppData\SystemUpdate.exe C:\Users\user\AppData\SystemUpdate.exe
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=532930
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1936,i,15628791438985490340,2968363924654632854,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=530045
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 --field-trial-handle=2024,i,1043454292865957278,12392202252195058562,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2032,i,4475010063348466522,12630456280325372382,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1968,i,58944968473598260,14066714597260275696,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1988,i,2397862122718210806,12237267871317461974,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 --field-trial-handle=2024,i,1043454292865957278,12392202252195058562,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=2012,i,4017807827871240827,294443514438666825,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2000 --field-trial-handle=2004,i,15154464915754026399,3836572238122876390,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 --field-trial-handle=1936,i,10198018738591083414,2483585144497047882,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=2008,i,5238929235679066905,12786035706151781453,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1968,i,6157079858765921233,5568951314403497470,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=2016,i,15539671429910762002,15161021274924515465,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1148,i,2046368302589155641,3041774423784538269,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=2012,i,11408168899703520178,4411795298762762360,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Section loaded: wimgapi.dll	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: apphelp.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: aclayers.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: mpr.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: sfc.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: sfc_os.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: version.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: cabinet.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: wtsapi32.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: winhttp.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: kernel.appcore.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: winbrand.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: wldp.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: dbghelp.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: dbgcore.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: winbrand.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: wldp.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: slc.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: sppc.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: mfc42u.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: wmsgapi.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: wdscore.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: uxtheme.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: netapi32.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: slc.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: sppc.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: wkscli.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: netutils.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: msasn1.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: riched32.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: riched20.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: usp10.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: msls31.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: sspicli.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: unbcl.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: fltlib.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: virtdisk.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: profapi.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: xmllite.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: sspicli.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: unbcl.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: fltlib.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: virtdisk.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: profapi.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: xmllite.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: wbemcomn.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: amsi.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: userenv.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: policymanager.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: msvcp110_win.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: vds_ps.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: policymanager.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: msvcp110_win.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: winsta.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: iphlpapi.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: dhcpcsvc.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: webio.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: mswsock.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: winnsi.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: sspicli.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: dnsapi.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: rasadhlp.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: fwpuclnt.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: schannel.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: mskeyprotect.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: ntasn1.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: ncrypt.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: ncryptsslp.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: cryptsp.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: rsaenh.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: cryptbase.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: gpapi.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: dpapi.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: windlp.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: ntmarta.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: devrtl.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: textshaping.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: windowscodecs.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: textinputframework.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: coreuicomponents.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: coremessaging.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: coremessaging.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: wintypes.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: wintypes.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: wintypes.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: oleacc.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: dataexchange.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: d3d11.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: dcomp.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: dxgi.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: twinapi.appcore.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: sxs.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: winbrand.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: wldp.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: bitsproxy.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: unbcl.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: fltlib.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: virtdisk.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: xmllite.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: policymanager.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: msvcp110_win.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: winbrand.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: wldp.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: wdsutil.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: tdh.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: mscoree.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: winsatapi.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: windows.storage.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: wldp.dll
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: python3.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: libffi-7.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: dinput8.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: inputhost.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: devenum.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: msdmo.dll
Source: C:\Users\user\AppData\WinHex.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\vdsldr.exe	Section loaded: atl.dll
Source: C:\Windows\System32\vdsldr.exe	Section loaded: vdsutil.dll
Source: C:\Windows\System32\vdsldr.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\vdsldr.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\vdsldr.exe	Section loaded: vds_ps.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\SystemUpdate.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\SystemUpdate.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\SystemUpdate.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\SystemUpdate.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\SystemUpdate.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\SystemUpdate.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll

Source: C:\$Windows.~WS\Sources\SetupHost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: C:\$Windows.~WS\Sources\SetupHost.exe

File written: C:\$WINDOWS.~BT\Sources\SetupPlatform.ini

Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe

File opened: C:\Users\user\Desktop\pyvenv.cfg

Jump to behavior

Source: C:\$Windows.~WS\Sources\SetupHost.exe	Automated click: Accept
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Automated click: Next
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Automated click: Next
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Automated click: Next

Source: C:\Users\user\AppData\LineInst.exe

File opened: C:\Windows\SysWOW64\riched32.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: T1#U52a9#U624b1.0.1.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: T1#U52a9#U624b1.0.1.exe

Static file information: File size 38135059 > 1048576

Source: T1#U52a9#U624b1.0.1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: T1#U52a9#U624b1.0.1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: T1#U52a9#U624b1.0.1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: T1#U52a9#U624b1.0.1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: T1#U52a9#U624b1.0.1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: T1#U52a9#U624b1.0.1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: T1#U52a9#U624b1.0.1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: T1#U52a9#U624b1.0.1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a01\_work\6\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702622530.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1812752389.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1843026952.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\select.pdb source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706139679.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823292790.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1850173368.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SetupPrep.pdbGCTL source: T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1726683748.000001F6ECEC4000.00000004.00000020.00020000.00000000.sdmp, LineInst.exe, 0000000C.00000003.1792989511.0000000005926000.00000004.00000020.00020000.00000000.sdmp, LineInst.exe, 0000000C.00000003.1796484557.0000000007084000.00000004.00000020.00020000.00000000.sdmp, LineInst.exe, 0000000C.00000003.1796355273.0000000003717000.00000004.00000020.00020000.00000000.sdmp, LineInst.exe, 0000000C.00000000.1789614892.0000000000821000.00000020.00000001.01000000.0000000B.sdmp, LineInst.exe, 0000000C.00000003.1792878564.0000000003700000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_lzma.pdbMM source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703021480.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1815198590.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1843822452.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_bz2.pdb source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702755893.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1813354350.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1843278211.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_hashlib.pdb source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702887018.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1814913258.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1843629057.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SetupHost.pdbGCTL source: SetupHost.exe, 0000000D.00000000.1825359643.00000000006EC000.00000020.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_socket.pdb source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703440801.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1816198264.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1844015796.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SetupHost.pdb source: SetupHost.exe, 0000000D.00000000.1825359643.00000000006EC000.00000020.00000001.01000000.0000000D.sdmp
Source:	Binary string: SetupPrep.pdb source: T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1726683748.000001F6ECEC4000.00000004.00000020.00020000.00000000.sdmp, LineInst.exe, 0000000C.00000003.1792989511.0000000005926000.00000004.00000020.00020000.00000000.sdmp, LineInst.exe, 0000000C.00000003.1796484557.0000000007084000.00000004.00000020.00020000.00000000.sdmp, LineInst.exe, 0000000C.00000003.1796355273.0000000003717000.00000004.00000020.00020000.00000000.sdmp, LineInst.exe, 0000000C.00000000.1789614892.0000000000821000.00000020.00000001.01000000.0000000B.sdmp, LineInst.exe, 0000000C.00000003.1792878564.0000000003700000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\unicodedata.pdb source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706296950.00000173A903D000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1823942492.000001EB0A292000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1850468835.00000245F38CD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_lzma.pdb source: T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703021480.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1815198590.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1843822452.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp

Source: T1#U52a9#U624b1.0.1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: T1#U52a9#U624b1.0.1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: T1#U52a9#U624b1.0.1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: T1#U52a9#U624b1.0.1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: T1#U52a9#U624b1.0.1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Suspicious powershell command line found

Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\../LineInst.exe'; $Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date); $Principal = New-ScheduledTaskPrincipal -UserId 'user' -LogonType Interactive -RunLevel Highest; Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -TaskName 'MicrosoftEdgeUpdatesOnce' -Description 'MicrosoftEdgeUpdatesOnce once' -Force; Start-ScheduledTask -TaskName 'MicrosoftEdgeUpdatesOnce' "
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\../WinHex.exe'; $Trigger = New-ScheduledTaskTrigger -AtLogon; $Principal = New-ScheduledTaskPrincipal -UserId 'user' -LogonType Interactive -RunLevel Highest; Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -TaskName 'MicrosoftEdgeUpdatesOnceMe' -Description 'MicrosoftEdgeUpdatesOnce once You' -Force; Start-ScheduledTask -TaskName 'MicrosoftEdgeUpdatesOnceMe' "
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\../LineInst.exe'; $Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date); $Principal = New-ScheduledTaskPrincipal -UserId 'user' -LogonType Interactive -RunLevel Highest; Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -TaskName 'MicrosoftEdgeUpdatesOnce' -Description 'MicrosoftEdgeUpdatesOnce once' -Force; Start-ScheduledTask -TaskName 'MicrosoftEdgeUpdatesOnce' "	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\../WinHex.exe'; $Trigger = New-ScheduledTaskTrigger -AtLogon; $Principal = New-ScheduledTaskPrincipal -UserId 'user' -LogonType Interactive -RunLevel Highest; Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -TaskName 'MicrosoftEdgeUpdatesOnceMe' -Description 'MicrosoftEdgeUpdatesOnce once You' -Force; Start-ScheduledTask -TaskName 'MicrosoftEdgeUpdatesOnceMe' "	Jump to behavior

Source: pidgenx.dll.12.dr

Static PE information: 0xF18D0277 [Mon Jun 2 12:24:23 2098 UTC]

Source: T1#U52a9#U624b1.0.1.exe	Static PE information: section name: _RDATA
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA
Source: libcrypto-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: LineInst.exe.1.dr	Static PE information: section name: .boxload
Source: WinHex.exe.1.dr	Static PE information: section name: _RDATA
Source: SystemUpdate.exe.1.dr	Static PE information: section name: _RDATA
Source: VCRUNTIME140.dll.11.dr	Static PE information: section name: _RDATA
Source: libcrypto-1_1.dll.11.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.11.dr	Static PE information: section name: .00cfg
Source: DU.dll.12.dr	Static PE information: section name: .didat
Source: DiagTrack.dll.12.dr	Static PE information: section name: .didat
Source: Diager.dll.12.dr	Static PE information: section name: .didat
Source: setupplatform.dll.12.dr	Static PE information: section name: .didat
Source: unbcl.dll.12.dr	Static PE information: section name: .didat
Source: wdsutil.dll.12.dr	Static PE information: section name: .didat
Source: VCRUNTIME140.dll.18.dr	Static PE information: section name: _RDATA
Source: libcrypto-1_1.dll.18.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.18.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B2310CC push rbp; retn 0000h	0_2_00007FF77B2310CD
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B2310E4 push rcx; retn 0000h	0_2_00007FF77B2310ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B2BD2A5 pushad ; iretd	2_2_00007FFD9B2BD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B3D5E67 push esp; retf	2_2_00007FFD9B3D5E68
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B3D9B38 push E9606ABBh; ret	2_2_00007FFD9B3D9BA9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B28D2A5 pushad ; iretd	4_2_00007FFD9B28D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B3A0B5D pushad ; retf	4_2_00007FFD9B3A0D3D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B3A9B38 push E9606DBBh; ret	4_2_00007FFD9B3A9BA9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B3AD5B5 push eax; retf	4_2_00007FFD9B3AD74D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B3A8CFD push ebx; retf 000Ch	4_2_00007FFD9B3A8D0A

Source: pidgenx.dll.12.dr

Static PE information: section name: .text entropy: 6.807645664658098

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Process created: "C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe"
Source: C:\Users\user\AppData\WinHex.exe	Process created: C:\Users\user\AppData\Roaming\../WinHex.exe
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Users\user\AppData\SystemUpdate.exe

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe	Jump to behavior

Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22562\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22562\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76642\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	File created: C:\$Windows.~WS\Sources\wdstptc.dll	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	File created: C:\$Windows.~WS\Sources\DiagTrack.dll	Jump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22562\python38.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	File created: C:\$Windows.~WS\Sources\wdsclientapi.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	File created: C:\$Windows.~WS\Sources\wdscore.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	File created: C:\$Windows.~WS\Sources\SetupHost.exe	Jump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76642\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22562\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	File created: C:\Users\user\AppData\LineInst.exe	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	File created: C:\$Windows.~WS\Sources\unbcl.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	File created: C:\Users\user\AppData\SystemUpdate.exe	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	File created: C:\$Windows.~WS\Sources\WinDlp.dll	Jump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76642\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	File created: C:\Users\user\AppData\WinHex.exe	Jump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22562\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	File created: C:\$Windows.~WS\Sources\SetupMgr.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	File created: C:\$Windows.~WS\Sources\wdscsl.dll	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	File created: C:\$Windows.~WS\Sources\wpx.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76642\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	File created: C:\$Windows.~WS\Sources\setupplatform.dll	Jump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22562\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76642\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76642\python38.dll	Jump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22562\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22562\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	File created: C:\$Windows.~WS\Sources\wdsutil.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\python38.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	File created: C:\$Windows.~WS\Sources\SetupCore.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22562\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22562\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76642\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76642\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	File created: C:\$Windows.~WS\Sources\wdsimage.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76642\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22562\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	File created: C:\$Windows.~WS\Sources\pidgenx.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	File created: C:\$Windows.~WS\Sources\DU.dll	Jump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76642\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	File created: C:\$Windows.~WS\Sources\MediaSetupUIMgr.dll	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	File created: C:\$Windows.~WS\Sources\DiagTrackRunner.exe	Jump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76642\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	File created: C:\$Windows.~WS\Sources\Diager.dll	Jump to dropped file

Source: C:\$Windows.~WS\Sources\SetupHost.exe	File created: C:\$Windows.~WS\Sources\Panther\setuperr.log
Source: C:\$Windows.~WS\Sources\SetupHost.exe	File created: C:\$Windows.~WS\Sources\Panther\setupact.log
Source: C:\$Windows.~WS\Sources\SetupHost.exe	File created: C:\$WINDOWS.~BT\Sources\Panther\setuperr.log
Source: C:\$Windows.~WS\Sources\SetupHost.exe	File created: C:\$WINDOWS.~BT\Sources\Panther\setupact.log

Source: C:\$Windows.~WS\Sources\SetupHost.exe

File created: C:\$Windows.~WS\Sources\Panther\Eula.rtf

Boot Survival

Uses Register-ScheduledTask to add task schedules

Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\../LineInst.exe'; $Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date); $Principal = New-ScheduledTaskPrincipal -UserId 'user' -LogonType Interactive -RunLevel Highest; Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -TaskName 'MicrosoftEdgeUpdatesOnce' -Description 'MicrosoftEdgeUpdatesOnce once' -Force; Start-ScheduledTask -TaskName 'MicrosoftEdgeUpdatesOnce' "

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe

Hooking and other Techniques for Hiding and Protection

Creates files in alternative data streams (ADS)

Source: C:\$Windows.~WS\Sources\SetupHost.exe

File created: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\DlTel-Merge.etl:$ETLUNIQUECVDATA

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe

Code function: 0_2_00007FF77B1E55D0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF77B1E55D0

Source: C:\$Windows.~WS\Sources\SetupHost.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\AppData\WinHex.exe

Key value created or modified: HKEY_CURRENT_USER\Console\1 d33f351a4aeea5e608853d1a56661059

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\$Windows.~WS\Sources\SetupHost.exe

System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)

Source: C:\Users\user\AppData\WinHex.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{05DF8D13-C355-47F4-A11E-851B338CEFB8}

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7280	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2132	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7915	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1406	Jump to behavior
Source: C:\Users\user\AppData\WinHex.exe	Window / User API: threadDelayed 2871

Source: C:\Users\user\AppData\SystemUpdate.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76642\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76642\python38.dll	Jump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22562\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22562\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22562\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\python38.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76642\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	Dropped PE file which has not been started: C:\$Windows.~WS\Sources\wdstptc.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	Dropped PE file which has not been started: C:\$Windows.~WS\Sources\DiagTrack.dll	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	Dropped PE file which has not been started: C:\$Windows.~WS\Sources\SetupCore.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22562\python38.dll	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	Dropped PE file which has not been started: C:\$Windows.~WS\Sources\wdsclientapi.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76642\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22562\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22562\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22562\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76642\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	Dropped PE file which has not been started: C:\$Windows.~WS\Sources\wdsimage.dll	Jump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76642\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22562\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76642\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	Dropped PE file which has not been started: C:\$Windows.~WS\Sources\pidgenx.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22562\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	Dropped PE file which has not been started: C:\$Windows.~WS\Sources\SetupMgr.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	Dropped PE file which has not been started: C:\$Windows.~WS\Sources\DU.dll	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	Dropped PE file which has not been started: C:\$Windows.~WS\Sources\wdscsl.dll	Jump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76642\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	Dropped PE file which has not been started: C:\$Windows.~WS\Sources\wpx.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	Dropped PE file which has not been started: C:\$Windows.~WS\Sources\MediaSetupUIMgr.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76642\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	Dropped PE file which has not been started: C:\$Windows.~WS\Sources\DiagTrackRunner.exe	Jump to dropped file
Source: C:\Users\user\AppData\SystemUpdate.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76642\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	Dropped PE file which has not been started: C:\$Windows.~WS\Sources\Diager.dll	Jump to dropped file
Source: C:\Users\user\AppData\WinHex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\LineInst.exe	Dropped PE file which has not been started: C:\$Windows.~WS\Sources\setupplatform.dll	Jump to dropped file
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22562\_socket.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-16191

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6700	Thread sleep count: 7280 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6788	Thread sleep count: 2132 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7236	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7276	Thread sleep count: 7915 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7364	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7276	Thread sleep count: 1406 > 30	Jump to behavior
Source: C:\$Windows.~WS\Sources\SetupHost.exe TID: 7552	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\WinHex.exe TID: 2932	Thread sleep count: 231 > 30
Source: C:\Users\user\AppData\WinHex.exe TID: 7632	Thread sleep count: 2871 > 30
Source: C:\Windows\System32\svchost.exe TID: 8148	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\$Windows.~WS\Sources\SetupHost.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_bios

Source: C:\$Windows.~WS\Sources\SetupHost.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\$Windows.~WS\Sources\SetupHost.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Name, Caption, Architecture, MaxClockSpeed FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\WinHex.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\WinHex.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\WinHex.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1F6714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF77B1F6714
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B2009B4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF77B2009B4
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1E7820 FindFirstFileExW,FindClose,	0_2_00007FF77B1E7820
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1F6714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF77B1F6714

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: powershell.exe, 00000004.00000002.1867366706.000002512C738000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000004.00000002.1867366706.000002512C738000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: SetupHost.exe, 0000000D.00000003.1871348727.0000000002AFD000.00000004.00000020.00020000.00000000.sdmp, SetupHost.exe, 0000000D.00000003.1930041303.0000000002AFD000.00000004.00000020.00020000.00000000.sdmp, SetupHost.exe, 0000000D.00000003.1877225667.0000000002AFD000.00000004.00000020.00020000.00000000.sdmp, SetupHost.exe, 0000000D.00000003.1878724078.0000000002AFD000.00000004.00000020.00020000.00000000.sdmp, SetupHost.exe, 0000000D.00000003.1875178699.0000000002AFD000.00000004.00000020.00020000.00000000.sdmp, SetupHost.exe, 0000000D.00000003.1878033925.0000000002AFD000.00000004.00000020.00020000.00000000.sdmp, SetupHost.exe, 0000000D.00000003.1877721245.0000000002AFD000.00000004.00000020.00020000.00000000.sdmp, SetupHost.exe, 0000000D.00000003.1875596628.0000000002AFD000.00000004.00000020.00020000.00000000.sdmp, SetupHost.exe, 0000000D.00000003.1878323007.0000000002AFD000.00000004.00000020.00020000.00000000.sdmp, SetupHost.exe, 0000000D.00000003.1875962971.0000000002AFD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000004.00000002.1867366706.000002512C738000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: SetupHost.exe, 0000000D.00000003.1843118657.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe

Code function: 0_2_00007FF77B1F9AE4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF77B1F9AE4

Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe

Code function: 0_2_00007FF77B2025A0 GetProcessHeap,

0_2_00007FF77B2025A0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1F9AE4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF77B1F9AE4
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1EB880 SetUnhandledExceptionFilter,	0_2_00007FF77B1EB880
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1EB69C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF77B1EB69C
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Code function: 0_2_00007FF77B1EAE00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF77B1EAE00

Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Process created: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe "C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe"	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +s +a +h C:\Users\user\AppData\LineInst.exe&&attrib +s +a +h C:\Users\user\AppData\WinHex.exe&&attrib +s +a +h C:\Users\user\AppData\SystemUpdate.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +a +h C:\Users\user\AppData\LineInst.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +a +h C:\Users\user\AppData\WinHex.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +a +h C:\Users\user\AppData\SystemUpdate.exe	Jump to behavior
Source: C:\Users\user\AppData\WinHex.exe	Process created: C:\Users\user\AppData\WinHex.exe C:\Users\user\AppData\Roaming\../WinHex.exe	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Process created: C:\$Windows.~WS\Sources\SetupHost.exe "C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web	Jump to behavior
Source: C:\Users\user\AppData\WinHex.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\SystemUpdate.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\SystemUpdate.exe C:\Users\user\AppData\SystemUpdate.exe
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Users\user\AppData\SystemUpdate.exe C:\Users\user\AppData\SystemUpdate.exe
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.microsoft.com/fwlink/?LinkId=532930
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe"
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\SystemUpdate.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Query /TN MicrosoftEdgeUpdatesOnceMe
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command " $action = new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\../lineinst.exe'; $trigger = new-scheduledtasktrigger -once -at (get-date); $principal = new-scheduledtaskprincipal -userid 'user' -logontype interactive -runlevel highest; register-scheduledtask -action $action -trigger $trigger -principal $principal -taskname 'microsoftedgeupdatesonce' -description 'microsoftedgeupdatesonce once' -force; start-scheduledtask -taskname 'microsoftedgeupdatesonce' "
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command " $action = new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\../winhex.exe'; $trigger = new-scheduledtasktrigger -atlogon; $principal = new-scheduledtaskprincipal -userid 'user' -logontype interactive -runlevel highest; register-scheduledtask -action $action -trigger $trigger -principal $principal -taskname 'microsoftedgeupdatesonceme' -description 'microsoftedgeupdatesonce once you' -force; start-scheduledtask -taskname 'microsoftedgeupdatesonceme' "
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command " $action = new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\../lineinst.exe'; $trigger = new-scheduledtasktrigger -once -at (get-date); $principal = new-scheduledtaskprincipal -userid 'user' -logontype interactive -runlevel highest; register-scheduledtask -action $action -trigger $trigger -principal $principal -taskname 'microsoftedgeupdatesonce' -description 'microsoftedgeupdatesonce once' -force; start-scheduledtask -taskname 'microsoftedgeupdatesonce' "	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command " $action = new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\../winhex.exe'; $trigger = new-scheduledtasktrigger -atlogon; $principal = new-scheduledtaskprincipal -userid 'user' -logontype interactive -runlevel highest; register-scheduledtask -action $action -trigger $trigger -principal $principal -taskname 'microsoftedgeupdatesonceme' -description 'microsoftedgeupdatesonce once you' -force; start-scheduledtask -taskname 'microsoftedgeupdatesonceme' "	Jump to behavior

Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe

Code function: 0_2_00007FF77B2089B0 cpuid

0_2_00007FF77B2089B0

Source: C:\$Windows.~WS\Sources\SetupHost.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\LineInst.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\SystemUpdate.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Queries volume information: C:\$Windows.~WS\Sources VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\LineInst.exe	Queries volume information: C:\$Windows.~WS VolumeInformation	Jump to behavior
Source: C:\$Windows.~WS\Sources\SetupHost.exe	Queries volume information: C:\Windows\Panther\DlTel.etl VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122 VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122 VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122 VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122 VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122 VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\_ctypes.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122 VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\_bz2.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122 VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\_lzma.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122 VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122 VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122 VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_ecb.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_ecb.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_cbc.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_cbc.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_cfb.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_cfb.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_ofb.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_ofb.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_ctr.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_ctr.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Util\_strxor.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Util\_strxor.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_BLAKE2s.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_BLAKE2s.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_SHA1.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_SHA1.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_MD5.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_MD5.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_Salsa20.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_Salsa20.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Protocol\_scrypt.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Protocol\_scrypt.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Util\_cpuid_c.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Util\_cpuid_c.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_ghash_portable.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_ghash_portable.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_ghash_clmul.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_ghash_clmul.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_ocb.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_ocb.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\WinHex.exe VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_aes.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_aes.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_aesni.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_aesni.pyd VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\WinHex.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74122\base_library.zip VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\SystemUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\SystemUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642 VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642 VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642 VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642 VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642 VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\SystemUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76642\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\SystemUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\SystemUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\SystemUpdate.exe	Queries volume information: C:\Users\user\AppData\SystemUpdate.exe VolumeInformation

Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe

Code function: 0_2_00007FF77B1EB580 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF77B1EB580

Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe

Code function: 0_2_00007FF77B204E20 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF77B204E20

Source: C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\$Windows.~WS\Sources\SetupHost.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Drive-by Compromise	41 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	1 Replication Through Removable Media	1 Native API	2 Scheduled Task/Job	11 Process Injection	3 Obfuscated Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	11 Command and Scripting Interpreter	Logon Script (Windows)	2 Scheduled Task/Job	1 Software Packing	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Scheduled Task/Job	Login Hook	Login Hook	1 Timestomp	NTDS	65 System Information Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 PowerShell	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Query Registry	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	261 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	151 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	151 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	11 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 NTFS File Attributes	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
T1#U52a9#U624b1.0.1.exe	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\$Windows.~WS\Sources\DU.dll	0%	ReversingLabs
C:\$Windows.~WS\Sources\DiagTrack.dll	0%	ReversingLabs
C:\$Windows.~WS\Sources\DiagTrackRunner.exe	0%	ReversingLabs
C:\$Windows.~WS\Sources\Diager.dll	0%	ReversingLabs
C:\$Windows.~WS\Sources\MediaSetupUIMgr.dll	0%	ReversingLabs
C:\$Windows.~WS\Sources\SetupCore.dll	0%	ReversingLabs
C:\$Windows.~WS\Sources\SetupHost.exe	0%	ReversingLabs
C:\$Windows.~WS\Sources\SetupMgr.dll	0%	ReversingLabs
C:\$Windows.~WS\Sources\WinDlp.dll	0%	ReversingLabs
C:\$Windows.~WS\Sources\pidgenx.dll	0%	ReversingLabs
C:\$Windows.~WS\Sources\setupplatform.dll	0%	ReversingLabs
C:\$Windows.~WS\Sources\unbcl.dll	0%	ReversingLabs
C:\$Windows.~WS\Sources\wdsclientapi.dll	0%	ReversingLabs
C:\$Windows.~WS\Sources\wdscore.dll	0%	ReversingLabs
C:\$Windows.~WS\Sources\wdscsl.dll	0%	ReversingLabs
C:\$Windows.~WS\Sources\wdsimage.dll	0%	ReversingLabs
C:\$Windows.~WS\Sources\wdstptc.dll	0%	ReversingLabs
C:\$Windows.~WS\Sources\wdsutil.dll	0%	ReversingLabs
C:\$Windows.~WS\Sources\wpx.dll	0%	ReversingLabs
C:\Users\user\AppData\LineInst.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22562\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22562\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22562\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22562\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22562\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22562\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22562\libcrypto-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22562\libssl-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22562\python38.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22562\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22562\unicodedata.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_ARC4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_Salsa20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_chacha20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_pkcs1_decode.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_aes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_aesni.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_arc2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_blowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_cast.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_cbc.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_cfb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_ctr.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_des.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_des3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_ecb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_eksblowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_ocb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Cipher\_raw_ofb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_BLAKE2b.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_BLAKE2s.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_MD2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_MD4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_MD5.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_RIPEMD160.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_SHA1.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_SHA224.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_SHA256.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_SHA384.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_SHA512.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_ghash_clmul.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_ghash_portable.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_keccak.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Hash\_poly1305.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Math\_modexp.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Protocol\_scrypt.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\PublicKey\_ec_ws.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\PublicKey\_ed25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\PublicKey\_ed448.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\PublicKey\_x25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74122\Crypto\Util\_cpuid_c.pyd	0%	ReversingLabs

Source	Detection	Scanner	Label
http://crl3.digi~R	0%	Avira URL Cloud	safe
http://crl.microsoftp	0%	Avira URL Cloud	safe
http://crl3.digir	0%	Avira URL Cloud	safe
http://www.microsoft.coo	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s.tribalfusion.com	172.64.150.63	true	false	high
s.twitter.com	104.244.42.67	true	false	high
global.px.quantserve.com	91.228.74.200	true	false	high
aragorn-prod-or-acai-lb.inbake.com	52.43.7.224	true	false	high
sni1gl.wpc.alphacdn.net	152.199.21.175	true	false	high
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high
eu-eb2.3lift.com	76.223.111.18	true	false	high
bttrack.com	192.132.33.68	true	false	high
adobetarget.data.adobedc.net	66.235.152.225	true	false	high
idsync.rlcdn.com	35.244.154.8	true	false	high
a.tribalfusion.com	172.64.150.63	true	false	high
sync.crwdcntrl.net	13.228.48.14	true	false	high
cm.g.doubleclick.net	172.217.17.34	true	false	high
sni1gl.wpc.omegacdn.net	152.199.21.175	true	false	high
rtb.adentifi.com	34.198.65.183	true	false	high
www.google.com	172.217.21.36	true	false	high
dcs-ups.g03.yahoodns.net	188.125.88.204	true	false	high
dcs-public-edge-irl1-150041215.eu-west-1.elb.amazonaws.com	54.154.234.207	true	false	high
msftenterprise.sc.omtrdc.net	63.140.62.17	true	false	high
ib.anycast.adnxs.com	37.252.172.123	true	false	high
match.adsrvr.org	52.223.40.198	true	false	high
js.monitor.azure.com	unknown	unknown	false	high
ag.innovid.com	unknown	unknown	false	high
idpix.media6degrees.com	unknown	unknown	false	high
px.owneriq.net	unknown	unknown	false	high
ds.reson8.com	unknown	unknown	false	high
ups.analytics.yahoo.com	unknown	unknown	false	high
cm.everesttech.net	unknown	unknown	false	high
jadserve.postrelease.com	unknown	unknown	false	high
dmpsync.3lift.com	unknown	unknown	false	high
dpm.demdex.net	unknown	unknown	false	high
rtd-tm.everesttech.net	unknown	unknown	false	high
servedby.flashtalking.com	unknown	unknown	false	high
assets.adobedtm.com	unknown	unknown	false	high
rtd.tubemogul.com	unknown	unknown	false	high
aadcdn.msftauth.net	unknown	unknown	false	high
mscom.demdex.net	unknown	unknown	false	high
mem.gfx.ms	unknown	unknown	false	high
analytics.twitter.com	unknown	unknown	false	high
c.s-microsoft.com	unknown	unknown	false	high
cms.quantserve.com	unknown	unknown	false	high
support.content.office.net	unknown	unknown	false	high
cms.analytics.yahoo.com	unknown	unknown	false	high
ib.adnxs.com	unknown	unknown	false	high
login.microsoftonline.com	unknown	unknown	false	high
sync-tm.everesttech.net	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://dpm.demdex.net/ibs:dpid=411&dpuuid=Z3FGwQAAAIPC1wOJ	false	high
https://idsync.rlcdn.com/365868.gif?partner_uid=81980359511806646913714319239841733483	false	high
https://bttrack.com/dmp/adobe/user?dd_uuid=81980359511806646913714319239841733483	false	high
https://cms.analytics.yahoo.com/cms?partner_id=ADOBE&_hosted_id=81980359511806646913714319239841733483&gdpr=0&gdpr_consent=	false	high
https://msftenterprise.sc.omtrdc.net/id?d_visid_ver=4.4.0&d_fieldgroup=A&mcorgid=EA76ADE95776D2EC7F000101%40AdobeOrg&mid=81699440500871430363688403270984381028&ts=1735476925721	false	high
https://dpm.demdex.net/ibs:dpid=477&dpuuid=779416a4c94a11361c21809cfac65e3347c1e49f6529a35cccf14d681b05f925b0da87c991749652	false	high
https://ib.adnxs.com/bounce?%2Fgetuid%3Fhttps%253A%252F%252Fdpm.demdex.net%252Fibs%253Adpid%253D358%2526dpuuid%253D%2524UID	false	high
https://dpm.demdex.net/ibs:dpid=992&dpuuid=12uyav2s7qrz9	false	high
https://ups.analytics.yahoo.com/ups/58782/cms?partner_id=ADOBE&_hosted_id=81980359511806646913714319239841733483&gdpr=0&gdpr_consent=	false	high
https://dpm.demdex.net/ibs:dpid=80742&dpuuid=c8fd9785-6050-4726-a9f9-b46a4cd24059	false	high
https://dmpsync.3lift.com/getuid?ld=1&gdpr=0&cmp_cs=&us_privacy=&redir=%2F%2Fdpm.demdex.net%2Fibs%3Adpid%3D72352%26dpuuid%3D%24UID%26gdpr%3D0%26gdpr_consent%3D	false	high
https://a.tribalfusion.com/i.match?p=b13&u=81980359511806646913714319239841733483&redirect=https%3A%2F%2Fdpm.demdex.net%2Fibs%3Adpid=22054&dpuuid=$TF_USER_ID_ENC$	false	high
https://dpm.demdex.net/ibs:dpid=903&dpuuid=1583541f-3b09-4660-8f24-5ee8afc5ad60	false	high
https://dpm.demdex.net/ibs:dpid=782&dpuuid=Z3FGwQAAAIPC1wOJ	false	high
https://ups.analytics.yahoo.com/ups/58782/cms?partner_id=ADOBE&_hosted_id=81980359511806646913714319239841733483&gdpr=0&gdpr_consent=&uid=81980359511806646913714319239841733483&verify=true	false	high
https://dpm.demdex.net/id?d_visid_ver=4.4.0&d_fieldgroup=MC&d_rtbd=json&d_ver=2&d_orgid=EA76ADE95776D2EC7F000101%40AdobeOrg&d_nsid=0&ts=1735476923217	false	high
https://dpm.demdex.net/ibs:dpid=49276&dpuuid=4751b02c-91a9-44d0-98c8-2ce193718c9d	false	high
https://analytics.twitter.com/i/adsct?p_user_id=81980359511806646913714319239841733483&p_id=38594	false	high
https://dpm.demdex.net/ibs:dpid=3047&dpuuid=62072665D1BB57&gdpr=0&gdpr_consent=	false	high
https://dpm.demdex.net/ibs:dpid=1957&dpuuid=36FF432003A167C3345E564402D36635	false	high
https://dpm.demdex.net/ibs:dpid=358&dpuuid=7919660468872361886	false	high
https://cm.g.doubleclick.net/pixel?google_nid=adobe_dmp&google_cm&gdpr=0&gdpr_consent=&google_hm=ODE5ODAzNTk1MTE4MDY2NDY5MTM3MTQzMTkyMzk4NDE3MzM0ODM=	false	high
https://dpm.demdex.net/ibs:dpid=1175&gdpr=0&dpuuid=rBnh2q4Ystq3HrTfrxj70qhItNm3GrLbrRp0Vyrd	false	high
https://s.tribalfusion.com/z/i.match?p=b13&u=81980359511806646913714319239841733483&redirect=https%3A%2F%2Fdpm.demdex.net%2Fibs%3Adpid=22054&dpuuid=$TF_USER_ID_ENC$	false	high
https://mscom.demdex.net/dest5.html?d_nsid=0	false	high
https://cms.quantserve.com/pixel/p-vj4AYjBqd6VJ2.gif?idmatch=0&gdpr=0&gdpr_consent=	false	high
https://idsync.rlcdn.com/1000.gif?memo=CKyqFhIxCi0IARCYEhomODE5ODAzNTk1MTE4MDY2NDY5MTM3MTQzMTkyMzk4NDE3MzM0ODMQABoNCMONxbsGEgUI6AcQAEIASgA	false	high
https://ib.adnxs.com/getuid?https%3A%2F%2Fdpm.demdex.net%2Fibs%3Adpid%3D358%26dpuuid%3D%24UID	false	high
https://cm.g.doubleclick.net/pixel?google_nid=adobe_dmp&google_cm=&gdpr=0&gdpr_consent=&google_hm=ODE5ODAzNTk1MTE4MDY2NDY5MTM3MTQzMTkyMzk4NDE3MzM0ODM=&google_tc=	false	high
https://rtb.adentifi.com/CookieSyncAdobe	false	high
https://dpm.demdex.net/ibs:dpid=22054	false	high
https://dpm.demdex.net/ibs:dpid=72352&dpuuid=1308204673543769676240&gdpr=0&gdpr_consent=	false	high
https://dpm.demdex.net/ibs:dpid=771&dpuuid=CAESEIv6GK4jHao86K5Dl2BpM8w&google_cver=1?gdpr=0&gdpr_consent=	false	high
https://dpm.demdex.net/ibs:dpid=57282&dpuuid=2E914D972AFE82751AB32520679948A5	false	high
https://dpm.demdex.net/ibs:dpid=53196&dpuuid=Q7887633501042930475	false	high
https://ag.innovid.com/dv/sync?tid=6	false	high
https://dpm.demdex.net/id?d_visid_ver=4.4.0&d_fieldgroup=AAM&d_rtbd=json&d_ver=2&d_orgid=EA76ADE95776D2EC7F000101%40AdobeOrg&d_nsid=0&d_mid=81699440500871430363688403270984381028&d_blob=6G1ynYcLPuiQxYZrsz_pkqfLG9yMXBpb2zX5dvJdYQJzPXImdj0y&d_cid_ic=MC1%0163539283e80441aa9dfff040b635d212%012&ts=1735476928112	false	high
https://dmpsync.3lift.com/getuid?redir=%2F%2Fdpm.demdex.net%2Fibs%3Adpid%3D72352%26dpuuid%3D$UID%26gdpr%3D0%26gdpr_consent%3D&gdpr=0&gdpr_consent=	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl3.digir	SystemUpdate.exe, 00000012.00000003.1843629057.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000004.00000002.1957310258.000002513C583000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2.C:	svchost.exe, 00000039.00000003.2435149189.0000015985EE3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000039.00000003.2435149189.0000015985F34000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000039.00000003.2435149189.0000015985F47000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1718087522.000001F6E2426000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1710025061.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709463356.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709298564.000001F6E2436000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709347432.000001F6E2402000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709311079.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000002.1757804161.000001F6E23E4000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709590975.000001F6E2402000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709463356.000001F6E2402000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1756004944.000001F6E4403000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1756716169.000001F6E23E3000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709730001.000001F6E2402000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709285474.000001F6E243B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709913441.000001F6E23FF000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709913441.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709347432.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1755741956.000001F6E23B6000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1755934980.000001F6E23DF000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709590975.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000002.1758961819.000001F6E4404000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709198904.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl3.digi	T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1702887018.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1814913258.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1843629057.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.python.org/download/releases/2.3/mro/.	T1#U52a9#U624b1.0.1.exe, 00000001.00000002.1758674190.000001F6E41F0000.00000004.00001000.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1710459219.000001F6E244D000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000E.00000003.1829408407.000002B9E79B9000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000E.00000003.1829474776.000002B9E79CD000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1865587018.000001D545EE1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.microsoftp	powershell.exe, 00000004.00000002.1866941156.000002512A885000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/Prod.C:	svchost.exe, 00000039.00000003.2435149189.0000015985E96000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2	svchost.exe, 00000039.00000003.2435149189.0000015985F02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703976809.00000173A903B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703976809.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1704803384.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1821331699.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1820471446.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1817110616.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1817110616.000001EB0A292000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1844723692.00000245F38CD000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1846178643.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1844723692.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000004.00000002.1957310258.000002513C583000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.1882736475.0000026FBFCF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1957310258.000002513C583000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.python.org/dev/peps/pep-0205/	T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1706919277.00000173A9033000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1825196606.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1851565284.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1867345702.000001D545EEE000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000013.00000003.1867589312.000001D545EEE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.1846925587.0000026FAFC81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1867366706.000002512C511000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl3.digi~R	WinHex.exe, 0000000B.00000003.1814913258.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 00000039.00000003.2435149189.0000015985F02000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1710025061.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709463356.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709311079.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000002.1758367361.000001F6E3C50000.00000004.00001000.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709913441.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709347432.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709590975.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709198904.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000E.00000003.1827855767.000002B9E799E000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000E.00000003.1828277109.000002B9E799E000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000E.00000003.1828101951.000002B9E799E000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000E.00000003.1828556196.000002B9E799E000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000E.00000003.1828023488.000002B9E799E000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000E.00000003.1829089256.000002B9E799E000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000E.00000003.1828002573.000002B9E79A4000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000E.00000003.1828823515.000002B9E799E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.1882736475.0000026FBFCF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1957310258.000002513C583000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000004.00000002.1867366706.000002512C738000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000004.00000002.1867366706.000002512C738000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000002.00000002.1846925587.0000026FAFEA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1867366706.000002512C738000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000004.00000002.1867366706.000002512C738000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.thawte.com0	T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703976809.00000173A903B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1703976809.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1704803384.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1821331699.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1820471446.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1817110616.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1817110616.000001EB0A292000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1844723692.00000245F38CD000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1846178643.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1844723692.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1718087522.000001F6E2426000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1710025061.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709463356.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709298564.000001F6E2436000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709347432.000001F6E2402000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709311079.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000002.1757804161.000001F6E23E4000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709590975.000001F6E2402000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709463356.000001F6E2402000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1756004944.000001F6E4403000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1756716169.000001F6E23E3000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709730001.000001F6E2402000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709285474.000001F6E243B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709913441.000001F6E23FF000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709913441.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709347432.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1755741956.000001F6E23B6000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1755934980.000001F6E23DF000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709590975.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1756154803.000001F6E4407000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709198904.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000004.00000002.1957310258.000002513C583000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L6	T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709298564.000001F6E2436000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.python.org/d	T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1755828370.000001F6E4452000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1755443946.000001F6E4452000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000002.1758988977.000001F6E4452000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1756154803.000001F6E4452000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000004.00000002.1867366706.000002512C738000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1718087522.000001F6E2426000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1710025061.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709463356.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709298564.000001F6E2436000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709347432.000001F6E2402000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709311079.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000002.1757804161.000001F6E23E4000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709590975.000001F6E2402000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709463356.000001F6E2402000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1756004944.000001F6E4403000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1756716169.000001F6E23E3000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709730001.000001F6E2402000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709285474.000001F6E243B000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709913441.000001F6E23FF000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709913441.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709347432.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1755741956.000001F6E23B6000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1755934980.000001F6E23DF000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709590975.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000002.1758961819.000001F6E4404000.00000004.00000020.00020000.00000000.sdmp, T1#U52a9#U624b1.0.1.exe, 00000001.00000003.1709198904.000001F6E2431000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	svchost.exe, 00000039.00000003.2435149189.0000015985F02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.coo	powershell.exe, 00000004.00000002.1975794345.0000025144A9F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000002.00000002.1846925587.0000026FAFEA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1867366706.000002512C738000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.openssl.org/H	T1#U52a9#U624b1.0.1.exe, 00000000.00000003.1704803384.00000173A9032000.00000004.00000020.00020000.00000000.sdmp, WinHex.exe, 0000000B.00000003.1821331699.000001EB0A289000.00000004.00000020.00020000.00000000.sdmp, SystemUpdate.exe, 00000012.00000003.1846178643.00000245F38C4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000002.00000002.1846925587.0000026FAFC81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1867366706.000002512C511000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	SystemUpdate.exe, 00000013.00000003.1855864818.000001D545E9C000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.228.74.200	global.px.quantserve.com	United Kingdom	27281	QUANTCASTUS	false
35.244.154.8	idsync.rlcdn.com	United States	15169	GOOGLEUS	false
52.43.7.224	aragorn-prod-or-acai-lb.inbake.com	United States	16509	AMAZON-02US	false
54.154.234.207	dcs-public-edge-irl1-150041215.eu-west-1.elb.amazonaws.com	United States	16509	AMAZON-02US	false
63.140.62.222	unknown	United States	15224	OMNITUREUS	false
8.212.101.195	unknown	Singapore	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true
172.217.17.34	cm.g.doubleclick.net	United States	15169	GOOGLEUS	false
172.64.150.63	s.tribalfusion.com	United States	13335	CLOUDFLARENETUS	false
63.140.62.17	msftenterprise.sc.omtrdc.net	United States	15224	OMNITUREUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
152.199.21.175	sni1gl.wpc.alphacdn.net	United States	15133	EDGECASTUS	false
52.223.40.198	match.adsrvr.org	United States	8987	AMAZONEXPANSIONGB	false
37.252.172.123	ib.anycast.adnxs.com	European Union	29990	ASN-APPNEXUS	false
34.198.65.183	rtb.adentifi.com	United States	14618	AMAZON-AESUS	false
172.217.21.36	www.google.com	United States	15169	GOOGLEUS	false
192.132.33.68	bttrack.com	United States	18568	BIDTELLECTUS	false
76.223.111.18	eu-eb2.3lift.com	United States	16509	AMAZON-02US	false
54.155.166.119	unknown	United States	16509	AMAZON-02US	false
104.244.42.67	s.twitter.com	United States	13414	TWITTERUS	false
34.241.209.94	unknown	United States	16509	AMAZON-02US	false
188.125.88.204	dcs-ups.g03.yahoodns.net	United Kingdom	10310	YAHOO-1US	false
104.244.42.195	unknown	United States	13414	TWITTERUS	false

Private

IP
192.168.2.4
127.0.0.1
192.168.2.23
192.168.2.15
192.168.2.14

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581935
Start date and time:	2024-12-29 13:51:52 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	129
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	T1#U52a9#U624b1.0.1.exe renamed because original name is a hash value
Original Sample Name:	T11.0.1.exe
Detection:	MAL
Classification:	mal46.evad.winEXE@262/400@106/27
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 99% Number of executed functions: 59 Number of non-executed functions: 71
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 51.11.168.232, 23.218.210.69, 199.232.214.172, 23.212.89.111, 192.229.221.95, 184.28.89.167, 172.217.19.227, 172.217.19.238, 173.194.220.84, 142.250.181.142, 184.28.90.27, 88.221.169.152, 2.19.198.65, 23.32.238.153, 104.122.214.103, 20.42.73.26, 104.102.52.100, 2.18.64.20, 2.18.64.21, 104.122.214.164, 118.214.130.157, 40.126.53.9, 20.190.181.0, 20.190.181.5, 40.126.53.15, 40.126.53.14, 40.126.53.7, 20.190.181.6, 20.190.181.4, 172.217.21.42, 172.217.19.10, 172.217.19.170, 172.217.19.234, 172.217.19.202, 216.58.208.234, 142.250.181.138, 172.217.17.42, 172.217.17.74, 142.250.181.74, 142.250.181.106, 23.32.238.99, 23.32.238.98, 20.190.147.2, 20.190.177.82, 20.190.147.7, 20.190.147.3, 20.190.147.6, 20.190.147.5, 20.190.147.1, 20.190.177.147, 104.122.213.91, 20.223.35.26, 172.217.17.35, 172.217.17.46, 34.104.35.123, 152.199.19.161, 51.104.15.252, 2.16.189.232, 52.167.30.171, 184.28.89.233, 54.75.138.108, 52.212.218.22, 34.255.155.228, 40.126.53.10, 20.190.181.3, 20.190.181.
Excluded domains from analysis (whitelisted): greenid-prod-pme.eastus2.cloudapp.azure.com, lgincdnmsftuswe2.azureedge.net, pme-greenid-prod.trafficmanager.net, cn-assets.adobedtm.com.edgekey.net, clientservices.googleapis.com, fs-wildcard.microsoft.com.edgekey.net, ak.privatelink.msidentity.com, offertoolproduction.azureedge.net, dlc-shim.trafficmanager.net, e12671.dscd.akamaiedge.net, clients2.google.com, download.microsoft.com.edgekey.net, star-azurefd-prod.trafficmanager.net, aws-oreg-cali-virg.ag.innovid.com.akadns.net, acctcdnvzeuno.azureedge.net, acctcdnvzeuno.ec.azureedge.net, acctcdnmsftuswe2.azureedge.net, c-bing-com.dual-a-0034.a-msedge.net, cm.everesttech.net.akadns.net, lgincdnvzeuno.ec.azureedge.net, onedscolprdeus12.eastus.cloudapp.azure.com, c-s.cms.ms.akadns.net, edgedl.me.gvt1.com, c.bing.com, fpt6.microsoft.com, c.s-microsoft.com-c.edgekey.net, clients.l.google.com, iris-de-prod-azsc-v2-neu.northeurope.cloudapp.azure.com, wildcard.owneriq.net.edgekey.net, cs9.wpc.v0cdn.net, h2.shared.global.
Execution Graph export aborted for target powershell.exe, PID 3004 because it is empty
Execution Graph export aborted for target powershell.exe, PID 3568 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: T1#U52a9#U624b1.0.1.exe

Simulations

Behavior and APIs

Time	Type	Description
12:52:56	Task Scheduler	Run new task: MicrosoftEdgeUpdatesOnce path: C:\Users\user\AppData\Roaming\../LineInst.exe
12:52:56	Task Scheduler	Run new task: MicrosoftEdgeUpdatesOnceMe path: C:\Users\user\AppData\Roaming\../WinHex.exe

LLM Input / Output

Input	Output
URL: https://microsoft.com Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": true, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: https://microsoft.com
URL: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://support.microsoft.com/en-us/windows/upgrade-to-windows-10-faq-cce52341-7943-594e-72ce-e1cf00382445 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: https://support.microsoft.com/en-US/windows/cce52341-7943-594e-72ce-e1cf00382445 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://support.microsoft.com/en-US/windows/cce52341-7943-594e-72ce-e1cf00382445 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
91.228.74.200	https://www.bing.com/ck/a?!&&p=24da94b1cbc4e30be5abd9acb5737b3bdb775a56c39aac0141dd9c17c937dea1JmltdHM9MTczMzI3MDQwMA&ptn=3&ver=2&hsh=4&fclid=1bf8b81c-3b95-652f-24ec-ad573a81643b&u=a1aHR0cHM6Ly93d3cueXV4aW5na2V0YW5nLmNvbS9jb2xsZWN0aW9ucy90aHJvdy1ibGFua2V0cw#aHR0cHM6Ly9jSUEudm9taXZvci5ydS9Td1dIay8=/%23dGVzbGFAdGVzbGEuY29t	Get hash	malicious	Unknown	Browse
	http://ebaumsworld.com	Get hash	malicious	Unknown	Browse
	EFT Remittance_(Deerequipment)CQDM.html	Get hash	malicious	Unknown	Browse
	Product Blueprint..html	Get hash	malicious	HTMLPhisher	Browse
	http://www.javatpoint.com.cach3.com/	Get hash	malicious	Unknown	Browse
	https://es.vecteezy.com/arte-vectorial/20279878-kyd-letra-logo-diseno-en-blanco-antecedentes-kyd-creativo-circulo-letra-logo-concepto-kyd-letra-diseno	Get hash	malicious	Unknown	Browse
	https://www.google.co.ao/url?Obdy=ObM8wNGVUva21gnTm3qS&cgsr=7knoOQwChvIkzgfn0TSm&sa=t&wofc=nQYL5DF797O1da77PTBQ&url=amp%2Fprimer-distrito-amvt.org%2F.r%2FiO8EME-SUREDANNaW50ZXJtb2RhbC5qYXhAc2VhYm9hcmRtYXJpbmUuY29t	Get hash	malicious	Unknown	Browse
	phish_alert_iocp_v1.4.48 (68).eml	Get hash	malicious	Unknown	Browse
	Unit 2_week 4 2024.pptx	Get hash	malicious	HTMLPhisher	Browse
	http://samobile.net/content/offsite_article.html?url=https%3A%2F%2Fsepedatua.com%2F158983%2Fsecure-redirect%23cnichols%2Bderickdermatology.com&headline=New+Jerusalem%2C+The+by+Chesterton%2C+G.+K	Get hash	malicious	Captcha Phish	Browse
63.140.62.222	http://vimuscle.vi/css/TB.html	Get hash	malicious	Unknown	Browse	info.telstra.com.au/b/ss/telstratdtmglobalprd/1/JS-2.10.0/s81407038587847?AQB=1&ndh=1&pf=1&t=24%2F8%2F2024%2021%3A37%3A27%202%20240&sdid=080702B973E60E46-3262A79A37C4013C&mid=80393247477718675596040170536517987875&aamlh=6&ce=UTF-8&ns=telstracorporation&cdp=3&fpCookieDomainPeriods=2&pageName=TD%3ATR%3ATR%3Acss%3Asign%20in%20with%20your%20telstra%20id&g=http%3A%2F%2Fvimuscle.vi%2Fcss%2FTB.html&cc=AUD&ch=css&server=vimuscle.vi&events=event27&aamb=j8Odv6LonN4r3an7LhD3WZrU1bUpAkFkkiY1ncBR96t2PTI&c1=TD&v1=TD&h1=TD%7CTR%7CTR%7Ccss%7Csign%20in%20with%20your%20telstra%20id&c2=TR&v2=TR&c3=TR&v3=TR&c4=D%3Dv5&v4=D%3Dch&c5=D%3Dv72&v5=tb.html&c6=D%3Dproducts&v6=css%3Atb.html&c7=%2Fcss%2FTB&c8=D%3Dg&v8=D%3Dg&c9=%2F%2Fwww.telstra.com.au%2Fcontent%2Fdam%2Fanalytics%2Fadobetags.min.js%3Fsource%3DCQ5%20%7C%20launch%20%7C%20prd%20%7C%20tz%3D-4&c11=no%20jQuery&c16=Wed%2C%2025%20Sep%202024%2001%3A37%3A27%20GMT&v18=di&c19=First%20Visit&c35=D%3DUser-Agent&v35=D%3DUser-Agent&c41=9%3A30PM&c42=Tuesday&c43=Weekday&c44=D%3Dv44%2B%22%3A%22%2BpageName&v4
52.43.7.224	EFT Remittance_(Deerequipment)CQDM.html	Get hash	malicious	Unknown	Browse
52.43.7.224	https://wetransfer.com/downloads/a83584fea59b11ef1e94d36869e8790020241209234540/89744b9472f9ce1b5e3b4ada79f2184c20241209234540/7041ff?t_exp=1734047140&t_lsid=42d44d78-6d8f-48db-8db5-5efa0c86786d&t_network=email&t_rid=ZW1haWx8Njc0ZjQ5YTNiNjM1NTFjNmY2NTg0N2Zj&t_s=download_link&t_ts=1733787940&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01	Get hash	malicious	Unknown	Browse
54.154.234.207	https://www.bing.com/ck/a?!&&p=24da94b1cbc4e30be5abd9acb5737b3bdb775a56c39aac0141dd9c17c937dea1JmltdHM9MTczMzI3MDQwMA&ptn=3&ver=2&hsh=4&fclid=1bf8b81c-3b95-652f-24ec-ad573a81643b&u=a1aHR0cHM6Ly93d3cueXV4aW5na2V0YW5nLmNvbS9jb2xsZWN0aW9ucy90aHJvdy1ibGFua2V0cw#aHR0cHM6Ly9jSUEudm9taXZvci5ydS9Td1dIay8=/%23dGVzbGFAdGVzbGEuY29t	Get hash	malicious	Unknown	Browse
	Product Blueprint..html	Get hash	malicious	HTMLPhisher	Browse
	https://www.dropbox.com/l/AADbLOqftgPkdsTWgBgFyNpmu-iGeYJGM4I	Get hash	malicious	Unknown	Browse
	https://vacilandoblog.wordpress.com/2015/04/22/a-tribute-to-my-mother-in-law-rest-in-peace-april-22-2015/	Get hash	malicious	Unknown	Browse
	http://www.earthcam.net/refer/refer.php?h=1&t=ai&a=MjAyNDEwVExPTQ==&u=http:%2f%2fhidroregjioni-jugor.com%2fdayo/QNMvj/ZGF2aWRidWxsQGFya2ZpbmFuY2lhbC5jb20=	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
global.px.quantserve.com	http://bluepeak-group.com/fc	Get hash	malicious	Unknown	Browse	91.228.74.159
	https://www.bing.com/ck/a?!&&p=24da94b1cbc4e30be5abd9acb5737b3bdb775a56c39aac0141dd9c17c937dea1JmltdHM9MTczMzI3MDQwMA&ptn=3&ver=2&hsh=4&fclid=1bf8b81c-3b95-652f-24ec-ad573a81643b&u=a1aHR0cHM6Ly93d3cueXV4aW5na2V0YW5nLmNvbS9jb2xsZWN0aW9ucy90aHJvdy1ibGFua2V0cw#aHR0cHM6Ly9jSUEudm9taXZvci5ydS9Td1dIay8=/%23dGVzbGFAdGVzbGEuY29t	Get hash	malicious	Unknown	Browse	91.228.74.200
	https://afg.acemlnb.com/lt.php?x=3TZy~GE3UnGZEpJA-w9HgOSc2K2ji_L0wu1gjqXGIXSh587-zEy.zuJr1Y2iitE~judAXHPHJeTMHaWtOdxFVOFx23MoiND	Get hash	malicious	Unknown	Browse	91.228.74.166
	https://www.canva.com/link?target=https%3A%2F%2Fgu3.watetiona.com%2FYEcft%2F&design=DAGZLjls8N8&accessRole=viewer&linkSource=document	Get hash	malicious	HTMLPhisher	Browse	91.228.74.244
	http://ebaumsworld.com	Get hash	malicious	Unknown	Browse	91.228.74.166
	https://feji.us/m266he	Get hash	malicious	Unknown	Browse	91.228.74.166
	vFile__0054seconds__Arkansas.html	Get hash	malicious	Unknown	Browse	91.228.74.244
	EFT Remittance_(Deerequipment)CQDM.html	Get hash	malicious	Unknown	Browse	91.228.74.200
	Product Blueprint..html	Get hash	malicious	HTMLPhisher	Browse	91.228.74.200
	https://santa-secret.ru/api/verify?a=NjgyODEwNCw1bWluOHE2MHpuX3J1LC9hY2NvdW50L2JveGVzLHZsYWRpbWlyLmdsdXNoZW5rb0Bob2NobGFuZC5ydSwyNDE0MTYzMg==	Get hash	malicious	Unknown	Browse	91.228.74.166
s.tribalfusion.com	https://www.bing.com/ck/a?!&&p=24da94b1cbc4e30be5abd9acb5737b3bdb775a56c39aac0141dd9c17c937dea1JmltdHM9MTczMzI3MDQwMA&ptn=3&ver=2&hsh=4&fclid=1bf8b81c-3b95-652f-24ec-ad573a81643b&u=a1aHR0cHM6Ly93d3cueXV4aW5na2V0YW5nLmNvbS9jb2xsZWN0aW9ucy90aHJvdy1ibGFua2V0cw#aHR0cHM6Ly9jSUEudm9taXZvci5ydS9Td1dIay8=/%23dGVzbGFAdGVzbGEuY29t	Get hash	malicious	Unknown	Browse	172.64.150.63
	https://www.canva.com/link?target=https%3A%2F%2Fgu3.watetiona.com%2FYEcft%2F&design=DAGZLjls8N8&accessRole=viewer&linkSource=document	Get hash	malicious	HTMLPhisher	Browse	104.18.37.193
	vFile__0054seconds__Arkansas.html	Get hash	malicious	Unknown	Browse	104.18.37.193
	EFT Remittance_(Deerequipment)CQDM.html	Get hash	malicious	Unknown	Browse	104.18.37.193
	Product Blueprint..html	Get hash	malicious	HTMLPhisher	Browse	104.18.37.193
	https://sendgb.com/dxukcl49bIj?utm_medium=mvC3BJ1YMhqe8zn	Get hash	malicious	HTMLPhisher	Browse	172.64.150.63
	https://bdb142c8309e44b2310105b0e00240d6.surge.sh/	Get hash	malicious	Unknown	Browse	104.18.37.193
	tmpE43E.htm	Get hash	malicious	Unknown	Browse	172.64.150.63
	https://www.google.co.ao/url?Obdy=ObM8wNGVUva21gnTm3qS&cgsr=7knoOQwChvIkzgfn0TSm&sa=t&wofc=nQYL5DF797O1da77PTBQ&url=amp%2Fprimer-distrito-amvt.org%2F.r%2FiO8EME-SUREDANNaW50ZXJtb2RhbC5qYXhAc2VhYm9hcmRtYXJpbmUuY29t	Get hash	malicious	Unknown	Browse	172.64.150.63
	https://www.calameo.com/read/007817996f562cfb4f52a	Get hash	malicious	HTMLPhisher	Browse	172.64.150.63

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	main_mpsl.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	Aqua.arm7.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	Tool_Unlock_v1.2.exe	Get hash	malicious	Vidar	Browse	108.138.128.56
	db0fa4b8db0333367e9bda3ab68b8042.m68k.elf	Get hash	malicious	Mirai, Gafgyt	Browse	54.253.4.52
	Aqua.arm7.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer, Xmrig	Browse	13.226.4.166
	https://kn0wbe4.compromisedblog.com/XZHJISTcycW1tZkROWG92Y2ZEc21laS80dzNTR2N0eEsvTDFRWGFNODdGaGtjNGo5VzRyMFRUQmFLM0grcGxUbnBSTVFhMEg2Smd3UkovaXVjaUpIcG1hZG5CQnh5aFlZTXNqNldTdm84cE5CMUtld0dCZzN4ZUFRK2lvL1FWTG92NUJsMnJ3OHFGckdTNFhnMkFUTFZFZTdKRnVJaTRuRGFKdXVyeUdCVytuQzdnMEV1ZExSMnlwWi9RPT0tLTdnZjhxQVZPbUdTdFZXVUEtLXA0bHNCNGxmeTdrdmlkWWRVcmRXRWc9PQ==?cid=2310423310	Get hash	malicious	KnowBe4	Browse	3.160.188.119
	oiA5KmV0f0.exe	Get hash	malicious	Njrat	Browse	18.197.239.5
	db0fa4b8db0333367e9bda3ab68b8042.x86.elf	Get hash	malicious	Mirai, Gafgyt	Browse	35.75.100.61
	arm6.elf	Get hash	malicious	Gafgyt	Browse	54.171.230.55
QUANTCASTUS	https://www.bing.com/ck/a?!&&p=24da94b1cbc4e30be5abd9acb5737b3bdb775a56c39aac0141dd9c17c937dea1JmltdHM9MTczMzI3MDQwMA&ptn=3&ver=2&hsh=4&fclid=1bf8b81c-3b95-652f-24ec-ad573a81643b&u=a1aHR0cHM6Ly93d3cueXV4aW5na2V0YW5nLmNvbS9jb2xsZWN0aW9ucy90aHJvdy1ibGFua2V0cw#aHR0cHM6Ly9jSUEudm9taXZvci5ydS9Td1dIay8=/%23dGVzbGFAdGVzbGEuY29t	Get hash	malicious	Unknown	Browse	91.228.74.200
	https://afg.acemlnb.com/lt.php?x=3TZy~GE3UnGZEpJA-w9HgOSc2K2ji_L0wu1gjqXGIXSh587-zEy.zuJr1Y2iitE~judAXHPHJeTMHaWtOdxFVOFx23MoiND	Get hash	malicious	Unknown	Browse	91.228.74.166
	https://www.canva.com/link?target=https%3A%2F%2Fgu3.watetiona.com%2FYEcft%2F&design=DAGZLjls8N8&accessRole=viewer&linkSource=document	Get hash	malicious	HTMLPhisher	Browse	91.228.74.244
	http://ebaumsworld.com	Get hash	malicious	Unknown	Browse	91.228.74.166
	https://feji.us/m266he	Get hash	malicious	Unknown	Browse	91.228.74.166
	vFile__0054seconds__Arkansas.html	Get hash	malicious	Unknown	Browse	91.228.74.244
	EFT Remittance_(Deerequipment)CQDM.html	Get hash	malicious	Unknown	Browse	91.228.74.200
	Product Blueprint..html	Get hash	malicious	HTMLPhisher	Browse	91.228.74.200
	https://santa-secret.ru/api/verify?a=NjgyODEwNCw1bWluOHE2MHpuX3J1LC9hY2NvdW50L2JveGVzLHZsYWRpbWlyLmdsdXNoZW5rb0Bob2NobGFuZC5ydSwyNDE0MTYzMg==	Get hash	malicious	Unknown	Browse	91.228.74.166
	http://www.javatpoint.com.cach3.com/	Get hash	malicious	Unknown	Browse	91.228.74.159
AMAZON-02US	main_mpsl.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	Aqua.arm7.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	Tool_Unlock_v1.2.exe	Get hash	malicious	Vidar	Browse	108.138.128.56
	db0fa4b8db0333367e9bda3ab68b8042.m68k.elf	Get hash	malicious	Mirai, Gafgyt	Browse	54.253.4.52
	Aqua.arm7.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer, Xmrig	Browse	13.226.4.166
	https://kn0wbe4.compromisedblog.com/XZHJISTcycW1tZkROWG92Y2ZEc21laS80dzNTR2N0eEsvTDFRWGFNODdGaGtjNGo5VzRyMFRUQmFLM0grcGxUbnBSTVFhMEg2Smd3UkovaXVjaUpIcG1hZG5CQnh5aFlZTXNqNldTdm84cE5CMUtld0dCZzN4ZUFRK2lvL1FWTG92NUJsMnJ3OHFGckdTNFhnMkFUTFZFZTdKRnVJaTRuRGFKdXVyeUdCVytuQzdnMEV1ZExSMnlwWi9RPT0tLTdnZjhxQVZPbUdTdFZXVUEtLXA0bHNCNGxmeTdrdmlkWWRVcmRXRWc9PQ==?cid=2310423310	Get hash	malicious	KnowBe4	Browse	3.160.188.119
	oiA5KmV0f0.exe	Get hash	malicious	Njrat	Browse	18.197.239.5
	db0fa4b8db0333367e9bda3ab68b8042.x86.elf	Get hash	malicious	Mirai, Gafgyt	Browse	35.75.100.61
	arm6.elf	Get hash	malicious	Gafgyt	Browse	54.171.230.55

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\$Windows.~WS\Sources\DU.dll	7bYDInO.rtf	Get hash	malicious	Unknown	Browse
C:\$Windows.~WS\Sources\DiagTrack.dll	MediaCreationTool.bat	Get hash	malicious	Unknown	Browse
C:\$Windows.~WS\Sources\DiagTrack.dll	7bYDInO.rtf	Get hash	malicious	Unknown	Browse

Process:	C:\$Windows.~WS\Sources\SetupHost.exe
File Type:	Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	1908
Entropy (8bit):	4.874587641202385
Encrypted:	false
SSDEEP:	24:5I5aVbJDP+tUI0X3AN0/1Cvf/g3vvQ/1Cv8Gh/1Cvze/g3vO/1CvVL/1CvR/g3v9:5MwiGI0P4GsfT/7eLy
MD5:	D1E75542EC8D1B4851765A57AC63618E
SHA1:	A231451F545D3133E5D6A0487A59C5DBD01EE50E
SHA-256:	6C06BF950D0FE3476E020CD363EC0C8C9D4EE0FC89A24C50780C44E6453995C6
SHA-512:	89D3C182833B97B0899ECD45DE1439F8341BF2EA11578E2085375A4DB3CC18FAD221998DC4B6F4407381D2134CB43D78025349DED1E50B6A4EEA5919B18B168C
Malicious:	false
Preview:	.<xml xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882". xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882". xmlns:rs="urn:schemas-microsoft-com:rowset". xmlns:z="#RowsetSchema">.<s:Schema id="RowsetSchema">.<s:ElementType name="row" content="eltOnly" rs:updatable="true">.<s:AttributeType name="Cls" rs:number="0">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Sev" rs:number="1">.<s:datatype dt:type="int"/>.</s:AttributeType>.<s:AttributeType name="Maj" rs:number="2">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Min" rs:number="3">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="LN" rs:number="4">.<s:datatype dt:type="int"/>.</s:AttributeType>.<s:AttributeType name="Fil" rs:number="5">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Fun" rs:number="6">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Uid" rs:number="7">.<s:datatype dt:type="int"/>.</s:At

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.3797934391220423
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvryH:KooCEYhgYEL0IncLpzR
MD5:	C439E2DFFD388F0F538F84D6E2F04C61
SHA1:	225CB39395B5D7145303FDD0AFC5CF369BFC5AFB
SHA-256:	1ACEE57D47963B1A340B6878759C88866BD3442B55779ADADA8DFF1236F17D8D
SHA-512:	6CCD575F37970DD483D073D49A36DB24F8EBE29FC2BA91BF2EE4145F7F45459490985BC6BC1BCD4BE723E4031DE0C072F832BBA5C14CCA49E354C44E4FB4D356
Malicious:	false
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Desktop\T1#U52a9#U624b1.0.1.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19463448
Entropy (8bit):	5.233180679376348
Encrypted:	false
SSDEEP:	196608:MmtHa+5hH1km/Sf7byFXKEBmih9S5rQ5FNFl001p4Ki:Y+5RB/SDbyFBH9eQD/l00/4
MD5:	AA2AD37BB74C05A49417E3D2F1BD89CE
SHA1:	1BF5F814FFE801B4E6F118E829C0D2821D78A60A
SHA-256:	690C8A63769D444FAD47B7DDECEE7F24C9333AA735D0BD46587D0DF5CF15CDE5
SHA-512:	FAB34CCBEFBCDCEC8F823840C16AE564812D0E063319C4EB4CC1112CF775B8764FEA59D0BBAFD4774D84B56E08C24056FA96F27425C4060E12EB547C2AE086CC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........L...-.-.-..E.-.F.-.F.-.F.-.F.-.-../.F..-.F...-.F.-.Rich.-.........PE..L....JJ..................\|...........)............@...................................)...@...... ..........................<.......................X.(..!...0...f...[..T....................M......8M..@...............8............................text...0{.......\|.................. ..`.data...p1..........................@....idata...+.......,..................@..@.boxload@...........................@..@.rsrc.... ..........................@..@.reloc...f...0...h.................@..B........................................................................................................................................................................................................................................................................................

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulpgztZ:NllUO
MD5:	ADB67D140C904AFBF0D2C47FCFC73086
SHA1:	CAA1973FC7AB5367DC2007487049041C6D0AC54E
SHA-256:	BA09CC360CD10629A32D8E84392BAD452284123893B0792F6417340A72E3B951
SHA-512:	85BE6449222EAA096A6F84E051D16DB1147498DA621BDB6C7B5D11CF6C306DB4DE90CEB457EDE22CCA53BC94CF4D1E6D0FAE203D196AF7AF225AF87464E1286E
Malicious:	false
Preview:	@...e.................................x..............@..........

Process:	C:\Users\user\AppData\WinHex.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	4.7033969967212315
Encrypted:	false
SSDEEP:	96:nDzvM9VD9daQ2iTrqT+6Zdp/Q0I1uLfcC75JiC4Rs89EcYyGDG90OcX6gY/7ECFV:DzvK9damqTrpYTst0E5DGPcqgY/79X
MD5:	0ECC2CADADA5F08F2938BBA764079FF0
SHA1:	00229E7F1F3D519E67F16E0C07E6BDC8E4FBCB16
SHA-256:	C1FF2AB87056DD3DB0448B31D274F92AF25570EC0A74D518E9F4653F7EDDDDCA
SHA-512:	83ED35A13D0FD34F44751C8CC926B6BCB69EE25E852CCA7DAA78033AA83B92F6237E6065658A2DB816770FCC7B9C7DB1E66ABDF9A64BB99CEA3174A8E0DB3E62
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...b..b..b..R...b..Uc..b.Rc..b..c..b..Ug..b..Uf..b..Ua..b..j..b..b..b....b..`..b.Rich.b.................PE..d......e.........." ...%............P........................................p............`.........................................P(.......(..d....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata..,.... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......(..............@..@.reloc..,....`.......*..............@..B................................................................................................................................................................................................................................................

Process:	C:\Users\user\AppData\SystemUpdate.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	94088
Entropy (8bit):	6.4315064777018955
Encrypted:	false
SSDEEP:	1536:bS6NH9M7vShoxXqYGZLAy10i5XNS83NT/sM9MYDiRecbbVKKoB98:bFRmxXqX0yvX7mHYWRecbb8l
MD5:	7942BE5474A095F673582997AE3054F1
SHA1:	E982F6EBC74D31153BA9738741A7EEC03A9FA5E8
SHA-256:	8EE6B49830436FF3BEC9BA89213395427B5535813930489F118721FD3D2D942C
SHA-512:	49FBC9D441362B65A8D78B73D4FDCF988F22D38A35A36A233FCD54E99E95E29B804BE7EABE2B174188C7860EBB34F701E13ED216F954886A285BED7127619039
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(r%Ml.K.l.K.l.K....n.K.ek..g.K.l.J.@.K..bH.a.K..bO.\|.K..bN.s.K..bK.m.K..b..m.K..bI.m.K.Richl.K.........................PE..d...".._.........." .........^............................................................`A.........................................1..4....9.......p.......P.......L...#..........H...T...............................8............................................text............................... ..`.rdata...?.......@..................@..@.data...@....@.......4..............@....pdata.......P.......8..............@..@_RDATA.......`.......D..............@..@.rsrc........p.......F..............@..@.reloc...............J..............@..B................................................................................................................................................................................................................

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (524)
Category:	downloaded
Size (bytes):	980
Entropy (8bit):	5.221020544248936
Encrypted:	false
SSDEEP:	24:ckGytSvuT/y67L/nV9jViHwukcglwYVTYVu:catwuby67pLRuxmwCTCu
MD5:	EC8AED9DF755A7B27E52317DCF532DF8
SHA1:	60F03B5BF43D1682D1CDB7DAF5A5A37FCD29D4E8
SHA-256:	C152DD3ED8493299EA2712FFC15A0043F417FEDCF4159B2C993A006501D82AC4
SHA-512:	16890D243CE2236AA2CD01C3C85D7B0AA1DB3DC8BF8B9CFE97AD18889F4030A0B6511C9F82C62F2BDA5F1029AFF4E12A9E35B0E182FC3B2B8B677618A589F5CF
Malicious:	false
URL:	https://www.microsoft.com/etc.clientlibs/microsoft/components/content/socialfollow/v1/socialfollow/clientlibs/site.min.ACSHASHec8aed9df755a7b27e52317dcf532df8.js
Preview:	'use strict';$(document).ready(function(){var a=window.matchMedia("(prefers-color-scheme: dark)");a.addEventListener("change",function(k){{const d=document.querySelectorAll(".socialfollow .socialfollow-li img");if(d)for(var e=0;e<d.length;e++){var b=d[e].getAttribute("src"),g=d[e].getAttribute("data-src");b&&(k.matches?(-1<b.indexOf("\x26fmt\x3dpng-alpha")&&(b=b.replace("\x26fmt\x3dpng-alpha",""),d[e].setAttribute("src",b)),-1<b.indexOf("?fmt\x3dpng-alpha")&&(b=b.replace("?fmt\x3dpng-alpha",""),d[e].setAttribute("src",.b))):g&&d[e].setAttribute("src",g))}}});if(a.matches&&(a=document.querySelectorAll(".socialfollow .socialfollow-li img")))for(var f=0;f<a.length;f++){var c=a[f].getAttribute("src"),h=a[f].getAttribute("data-src");c&&(-1<c.indexOf("\x26fmt\x3dpng-alpha")?(c=c.replace("\x26fmt\x3dpng-alpha",""),a[f].setAttribute("src",c)):-1<c.indexOf("?fmt\x3dpng-alpha")?(c=c.replace("?fmt\x3dpng-alpha",""),a[f].setAttribute("src",c)):h&&a[f].setAttribute("src",h))}});

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.998221661432658
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	T1#U52a9#U624b1.0.1.exe
File size:	38'135'059 bytes
MD5:	477d3b9ee775c048f96b450dd00ba490
SHA1:	81f1991882b1bf1cb4b169da6c94b772517ab1eb
SHA256:	799084320848500fef5673799157b94c1db7b74f9651ffe0af326051973cf490
SHA512:	f537425e54a310723ba57d77b147af4dda06cc6eef1a51fdd16374e4696089e95dfa6e8a20188fa6167e2504628a3d31bff17dbf7bde5db5442761a271e43c1a
SSDEEP:	786432:lQLDyaGdLEb0s4mkpLirq7P/aSL7plE7xEh+W:lQLDJl2mkpLsq7naSL1lwxER
TLSH:	0F87331AF27B7194FD70A4BE41E54D74CA77A216C36D848F82A4320F4F93886EA77B44
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6...W...W...W.../...W.../..1W.../...W...+...W...+...W...+...W...+...W.../...W...W...W..3+...W..3+...W..Rich.W.................

Entrypoint:	0x14000b310
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x67659260 [Fri Dec 20 15:50:56 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	0b5552dccd9d0a834cea55c0c8fc05be

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3bd0c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x52000	0x153c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x4e000	0x20c4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x54000	0x758	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x39480	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39340	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2a000	0x418	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28800	0x28800	443d51fb84559b563832949912f06b00	False	0.5583465952932098	data	6.488023200564254	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2a000	0x12b16	0x12c00	03cb905c3f1d41732066c037532cd74c	False	0.51546875	data	5.824610481275219	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3d000	0x103f8	0xe00	afabb66fdcd2825de5909f10c900fca7	False	0.13309151785714285	DOS executable (block device driver \377\3)	1.8096886543499544	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x4e000	0x20c4	0x2200	7b210ceebebc00c96d1c55c2b456bbb4	False	0.47794117647058826	data	5.274096406482418	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x51000	0x15c	0x200	c059b775abce97446903f3597b027fae	False	0.384765625	data	2.808567494642619	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x52000	0x153c	0x1600	60f303f9f424891fa7b1e054893c5a44	False	0.4366122159090909	data	5.297323385124905	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x54000	0x758	0x800	11aaafc72361ec8886a740c3e209ceb3	False	0.544921875	data	5.2576643703968475	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x520e8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	0.43150319829424305
RT_GROUP_ICON	0x52f90	0x14	data	1.15
RT_MANIFEST	0x52fa4	0x596	XML 1.0 document, ASCII text, with CRLF line terminators	0.4461538461538462

DLL	Import
USER32.dll	CreateWindowExW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	GetStringTypeW, GetFileAttributesExW, HeapReAlloc, FlushFileBuffers, GetCurrentDirectoryW, IsValidCodePage, GetACP, GetModuleHandleW, MulDiv, GetLastError, SetDllDirectoryW, GetModuleFileNameW, GetProcAddress, GetCommandLineW, GetEnvironmentVariableW, GetOEMCP, ExpandEnvironmentStringsW, CreateDirectoryW, GetTempPathW, WaitForSingleObject, Sleep, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LoadLibraryExW, SetConsoleCtrlHandler, FindClose, FindFirstFileExW, CloseHandle, GetCurrentProcess, LocalFree, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, GetCPInfo, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, WriteConsoleW, SetEnvironmentVariableW, RtlUnwindEx, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, SetEndOfFile, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, CreateFileW, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, RemoveDirectoryW, FindNextFileW, SetStdHandle, DeleteFileW, ReadFile, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 13:53:06.214797020 CET	138	138	192.168.2.4	192.168.2.255
Dec 29, 2024 13:54:01.127990007 CET	53	62802	1.1.1.1	192.168.2.4
Dec 29, 2024 13:54:01.185153008 CET	53	54693	1.1.1.1	192.168.2.4
Dec 29, 2024 13:54:04.448081970 CET	53	63354	1.1.1.1	192.168.2.4
Dec 29, 2024 13:54:05.384804010 CET	51937	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:54:05.384946108 CET	52475	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:54:05.525943041 CET	53	52475	1.1.1.1	192.168.2.4
Dec 29, 2024 13:54:05.527273893 CET	53	51937	1.1.1.1	192.168.2.4
Dec 29, 2024 13:54:12.170912027 CET	61551	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:54:12.171124935 CET	50510	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:54:12.171565056 CET	59768	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:54:12.171678066 CET	65014	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:54:12.479100943 CET	60447	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:54:12.479280949 CET	50360	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:54:12.584022999 CET	54103	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:54:12.584146976 CET	60659	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:54:12.617499113 CET	53	60447	1.1.1.1	192.168.2.4
Dec 29, 2024 13:54:12.619344950 CET	53	50360	1.1.1.1	192.168.2.4
Dec 29, 2024 13:54:12.704066992 CET	59115	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:54:12.704196930 CET	57815	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:54:21.449836016 CET	53	61069	1.1.1.1	192.168.2.4
Dec 29, 2024 13:54:24.238745928 CET	56814	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:54:24.238863945 CET	54954	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:54:30.523979902 CET	54140	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:54:30.524132013 CET	50742	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:54:31.925537109 CET	58401	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:54:31.925657034 CET	55970	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:54:35.768774986 CET	54078	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:54:35.769310951 CET	55328	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:54:39.457058907 CET	53	49930	1.1.1.1	192.168.2.4
Dec 29, 2024 13:54:40.507719994 CET	61850	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:54:40.507982016 CET	63904	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:54:40.553570032 CET	53	54792	1.1.1.1	192.168.2.4
Dec 29, 2024 13:54:40.645952940 CET	53	63904	1.1.1.1	192.168.2.4
Dec 29, 2024 13:54:40.646596909 CET	53	61850	1.1.1.1	192.168.2.4
Dec 29, 2024 13:54:44.296098948 CET	59263	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:54:44.296374083 CET	53088	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:00.708163023 CET	53	63844	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:03.060751915 CET	53	50979	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:16.783627987 CET	59452	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:16.783967018 CET	57901	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:16.784991980 CET	54997	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:16.785274029 CET	50408	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:16.970410109 CET	63598	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:16.970617056 CET	55755	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:17.187637091 CET	51663	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:17.187772989 CET	61330	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:24.780841112 CET	49904	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:24.780983925 CET	50429	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:24.919715881 CET	53	50429	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:24.923717022 CET	53	49904	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:26.943504095 CET	54317	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:26.944503069 CET	61355	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:26.958204985 CET	56403	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:26.958369970 CET	63575	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:26.959891081 CET	51446	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:26.960043907 CET	51527	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:27.099184990 CET	53	51527	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:27.239336967 CET	53	56403	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:27.239692926 CET	53	54317	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:27.239980936 CET	53	61355	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:27.244251013 CET	53	63575	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:27.914289951 CET	55054	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:27.914576054 CET	54551	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:28.052855968 CET	53	55054	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:28.053813934 CET	53	54551	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:29.353821039 CET	54157	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:29.356632948 CET	59891	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:29.425221920 CET	56623	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:29.425357103 CET	60065	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:29.492767096 CET	53	54157	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:29.496462107 CET	53	59891	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:29.563626051 CET	53	60065	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:29.663960934 CET	50525	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:29.664258003 CET	62379	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:29.802773952 CET	53	50525	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:29.802844048 CET	53	62379	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:30.679411888 CET	64617	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:30.679671049 CET	59656	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:30.817430019 CET	53	64617	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:30.818157911 CET	53	59656	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:33.163949966 CET	50357	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:33.164189100 CET	50138	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:33.302649975 CET	53	50357	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:33.562407017 CET	53	50138	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:33.858396053 CET	53	51840	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:33.880990028 CET	58367	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:33.881244898 CET	61678	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:34.019368887 CET	53	58367	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:34.024198055 CET	53	61678	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:34.391948938 CET	62858	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:34.392088890 CET	49733	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:35.143851995 CET	62199	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:35.144201040 CET	57597	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:35.145159960 CET	59169	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:35.145368099 CET	60890	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:35.145733118 CET	59928	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:35.145855904 CET	62016	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:35.283926010 CET	53	62016	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:35.284169912 CET	53	59928	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:35.460858107 CET	53	57597	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:36.082081079 CET	51016	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:36.082535028 CET	52643	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:36.881017923 CET	56695	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:36.881520033 CET	59326	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:37.439687014 CET	58011	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:37.439815044 CET	51069	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:37.725682020 CET	53	51069	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:41.361848116 CET	54753	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:41.361995935 CET	58622	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:41.500004053 CET	53	54753	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:41.501394987 CET	53	58622	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:42.722628117 CET	56534	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:42.723180056 CET	55440	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:42.861347914 CET	53	55440	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:42.861392021 CET	53	56534	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:45.229657888 CET	61650	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:45.230135918 CET	54939	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:45.367885113 CET	53	61650	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:45.369926929 CET	53	54939	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:47.258678913 CET	61632	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:47.259174109 CET	55832	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:47.396712065 CET	53	61632	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:47.397527933 CET	53	55832	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:47.973803043 CET	59335	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:47.973964930 CET	62835	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:47.976974010 CET	58810	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:47.977144957 CET	65488	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:47.977518082 CET	53679	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:47.978064060 CET	56068	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:47.979917049 CET	56840	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:47.980084896 CET	53558	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:47.980557919 CET	54847	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:47.980726004 CET	60772	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:47.981260061 CET	49489	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:47.981451035 CET	52237	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:48.115458965 CET	53	58810	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:48.116911888 CET	53	56068	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:48.117023945 CET	53	65488	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:48.121845007 CET	53	60772	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:48.225799084 CET	53	53679	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:48.761847973 CET	50814	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:48.762082100 CET	56868	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:48.899796009 CET	53	50814	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:48.901125908 CET	53	56868	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:49.900521994 CET	60925	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:49.900794983 CET	57867	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:50.040333033 CET	53	57867	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:50.041467905 CET	53	60925	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:50.792598963 CET	52390	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:50.792871952 CET	62573	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:51.026309013 CET	53	62573	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:51.043205976 CET	53	52390	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:51.766001940 CET	59202	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:51.766113997 CET	61109	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:52.140158892 CET	60888	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:52.140321970 CET	63565	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:52.278619051 CET	53	60888	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:52.279473066 CET	53	63565	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:53.700700045 CET	58516	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:53.700855970 CET	60674	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:53.841758013 CET	53	60674	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:56.161542892 CET	57914	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:56.161675930 CET	56799	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:56.300163031 CET	53	57914	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:56.300240993 CET	53	56799	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:58.352044106 CET	56352	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:58.352161884 CET	54931	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:58.490622997 CET	53	56352	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:58.491981983 CET	53	54931	1.1.1.1	192.168.2.4
Dec 29, 2024 13:55:58.528080940 CET	65213	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:58.528238058 CET	49949	53	192.168.2.4	1.1.1.1
Dec 29, 2024 13:55:58.667226076 CET	53	49949	1.1.1.1	192.168.2.4

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Dec 29, 2024 13:54:12.939402103 CET	192.168.2.4	1.1.1.1	c2de	(Port unreachable)	Destination Unreachable
Dec 29, 2024 13:54:36.404597998 CET	192.168.2.4	1.1.1.1	c2c1	(Port unreachable)	Destination Unreachable
Dec 29, 2024 13:55:06.723021984 CET	192.168.2.4	1.1.1.1	c270	(Port unreachable)	Destination Unreachable
Dec 29, 2024 13:55:17.229842901 CET	192.168.2.4	1.1.1.1	c2c1	(Port unreachable)	Destination Unreachable
Dec 29, 2024 13:55:33.562468052 CET	192.168.2.4	1.1.1.1	c265	(Port unreachable)	Destination Unreachable
Dec 29, 2024 13:55:36.221939087 CET	192.168.2.4	1.1.1.1	c269	(Port unreachable)	Destination Unreachable
Dec 29, 2024 13:55:53.561403990 CET	192.168.2.4	1.1.1.1	c28c	(Port unreachable)	Destination Unreachable

Timestamp	Bytes transferred	Direction	Data
2024-12-29 12:55:26 UTC	721	OUT	GET /id?d_visid_ver=4.4.0&d_fieldgroup=MC&d_rtbd=json&d_ver=2&d_orgid=EA76ADE95776D2EC7F000101%40AdobeOrg&d_nsid=0&ts=1735476923217 HTTP/1.1 Host: dpm.demdex.net Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: / Origin: https://www.microsoft.com Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://www.microsoft.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-29 12:55:26 UTC	823	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 12:55:26 GMT Content-Type: application/json;charset=utf-8 Content-Length: 6666 Connection: close X-TID: /shK9eJcRcU= Strict-Transport-Security: max-age=31536000; includeSubDomains Cache-Control: no-cache,no-store,must-revalidate,max-age=0,proxy-revalidate,no-transform,private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 UTC P3P: policyref="/w3c/p3p.xml", CP="NOI NID CURa ADMa DEVa PSAa PSDa OUR SAMa BUS PUR COM NAV INT" Access-Control-Allow-Origin: https://www.microsoft.com Vary: Origin Access-Control-Allow-Credentials: true DCS: dcs-prod-irl1-2-v069-0b0020d8d.edge-irl1.demdex.com 3 ms set-cookie: demdex=81980359511806646913714319239841733483; Max-Age=15552000; Expires=Fri, 27 Jun 2025 12:55:26 GMT; Path=/; Domain=.demdex.net; Secure; SameSite=None
2024-12-29 12:55:26 UTC	6666	IN	Data Raw: 7b 22 64 5f 6d 69 64 22 3a 22 38 31 36 39 39 34 34 30 35 30 30 38 37 31 34 33 30 33 36 33 36 38 38 34 30 33 32 37 30 39 38 34 33 38 31 30 32 38 22 2c 22 69 64 5f 73 79 6e 63 5f 74 74 6c 22 3a 36 30 34 38 30 30 2c 22 64 5f 62 6c 6f 62 22 3a 22 36 47 31 79 6e 59 63 4c 50 75 69 51 78 59 5a 72 73 7a 5f 70 6b 71 66 4c 47 39 79 4d 58 42 70 62 32 7a 58 35 64 76 4a 64 59 51 4a 7a 50 58 49 6d 64 6a 30 79 22 2c 22 64 63 73 5f 72 65 67 69 6f 6e 22 3a 36 2c 22 64 5f 6f 74 74 6c 22 3a 37 32 30 30 2c 22 69 62 73 22 3a 5b 7b 22 69 64 22 3a 22 34 31 31 22 2c 22 74 74 6c 22 3a 31 30 30 38 30 2c 22 74 61 67 22 3a 22 69 6d 67 22 2c 22 66 69 72 65 55 52 4c 53 79 6e 63 22 3a 31 2c 22 73 79 6e 63 4f 6e 50 61 67 65 22 3a 31 2c 22 75 72 6c 22 3a 5b 22 2f 2f 63 6d 2e 65 76 65 72 Data Ascii: {"d_mid":"81699440500871430363688403270984381028","id_sync_ttl":604800,"d_blob":"6G1ynYcLPuiQxYZrsz_pkqfLG9yMXBpb2zX5dvJdYQJzPXImdj0y","dcs_region":6,"d_ottl":7200,"ibs":[{"id":"411","ttl":10080,"tag":"img","fireURLSync":1,"syncOnPage":1,"url":["//cm.ever

Timestamp	Bytes transferred	Direction	Data
2024-12-29 12:55:28 UTC	754	OUT	GET /dest5.html?d_nsid=0 HTTP/1.1 Host: mscom.demdex.net Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-Dest: iframe Referer: https://www.microsoft.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: demdex=81980359511806646913714319239841733483
2024-12-29 12:55:29 UTC	607	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 12:55:29 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 6983 Connection: close X-TID: mr+ZoRWJRTY= Strict-Transport-Security: max-age=31536000; includeSubDomains Cache-Control: no-cache,no-store,must-revalidate,max-age=0,proxy-revalidate,no-transform,private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 UTC P3P: policyref="/w3c/p3p.xml", CP="NOI NID CURa ADMa DEVa PSAa PSDa OUR SAMa BUS PUR COM NAV INT" Accept-Ranges: bytes last-modified: Mon, 11 Nov 2024 10:07:09 GMT DCS: dcs-prod-irl1-1-v069-0b92c000a.edge-irl1.demdex.com 0 ms
2024-12-29 12:55:29 UTC	6983	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 41 64 6f 62 65 20 41 75 64 69 65 6e 63 65 4d 61 6e 61 67 65 72 3c 2f 74 69 74 6c 65 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html lang="en-US"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Adobe AudienceManager</title><script type="text/javas

Timestamp	Bytes transferred	Direction	Data
2024-12-29 12:55:28 UTC	748	OUT	GET /id?d_visid_ver=4.4.0&d_fieldgroup=A&mcorgid=EA76ADE95776D2EC7F000101%40AdobeOrg&mid=81699440500871430363688403270984381028&ts=1735476925721 HTTP/1.1 Host: msftenterprise.sc.omtrdc.net Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: / Origin: https://www.microsoft.com Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://www.microsoft.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-29 12:55:29 UTC	442	IN	HTTP/1.1 200 OK access-control-allow-origin: https://www.microsoft.com access-control-allow-credentials: true date: Sun, 29 Dec 2024 12:55:29 GMT p3p: CP="This is not a P3P policy" server: jag vary: Origin content-type: application/x-javascript;charset=utf-8 content-length: 2 cache-control: no-cache, no-store, max-age=0, no-transform, private x-xss-protection: 1; mode=block x-content-type-options: nosniff connection: close
2024-12-29 12:55:29 UTC	2	IN	Data Raw: 7b 7d Data Ascii: {}

Timestamp	Bytes transferred	Direction	Data
2024-12-29 12:55:29 UTC	519	OUT	GET /id?d_visid_ver=4.4.0&d_fieldgroup=MC&d_rtbd=json&d_ver=2&d_orgid=EA76ADE95776D2EC7F000101%40AdobeOrg&d_nsid=0&ts=1735476923217 HTTP/1.1 Host: dpm.demdex.net Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: demdex=81980359511806646913714319239841733483
2024-12-29 12:55:30 UTC	713	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 12:55:29 GMT Content-Type: application/json;charset=utf-8 Content-Length: 6649 Connection: close X-TID: lJhXek1tSh0= Strict-Transport-Security: max-age=31536000; includeSubDomains Cache-Control: no-cache,no-store,must-revalidate,max-age=0,proxy-revalidate,no-transform,private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 UTC P3P: policyref="/w3c/p3p.xml", CP="NOI NID CURa ADMa DEVa PSAa PSDa OUR SAMa BUS PUR COM NAV INT" DCS: dcs-prod-irl1-2-v069-09b470f5a.edge-irl1.demdex.com 3 ms set-cookie: demdex=81980359511806646913714319239841733483; Max-Age=15552000; Expires=Fri, 27 Jun 2025 12:55:29 GMT; Path=/; Domain=.demdex.net; Secure; SameSite=None
2024-12-29 12:55:30 UTC	6649	IN	Data Raw: 7b 22 64 5f 6d 69 64 22 3a 22 38 31 36 39 39 34 34 30 35 30 30 38 37 31 34 33 30 33 36 33 36 38 38 34 30 33 32 37 30 39 38 34 33 38 31 30 32 38 22 2c 22 69 64 5f 73 79 6e 63 5f 74 74 6c 22 3a 36 30 34 38 30 30 2c 22 64 5f 62 6c 6f 62 22 3a 22 52 4b 68 70 52 7a 38 6b 72 67 32 74 4c 4f 36 70 67 75 58 57 70 35 6f 6c 6b 41 63 55 6e 69 51 59 50 48 61 4d 57 57 67 64 4a 33 78 7a 50 57 51 6d 64 6a 30 79 22 2c 22 64 63 73 5f 72 65 67 69 6f 6e 22 3a 36 2c 22 64 5f 6f 74 74 6c 22 3a 37 32 30 30 2c 22 69 62 73 22 3a 5b 7b 22 69 64 22 3a 22 34 31 31 22 2c 22 74 74 6c 22 3a 31 30 30 38 30 2c 22 74 61 67 22 3a 22 69 6d 67 22 2c 22 66 69 72 65 55 52 4c 53 79 6e 63 22 3a 31 2c 22 73 79 6e 63 4f 6e 50 61 67 65 22 3a 31 2c 22 75 72 6c 22 3a 5b 22 2f 2f 63 6d 2e 65 76 65 72 Data Ascii: {"d_mid":"81699440500871430363688403270984381028","id_sync_ttl":604800,"d_blob":"RKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y","dcs_region":6,"d_ottl":7200,"ibs":[{"id":"411","ttl":10080,"tag":"img","fireURLSync":1,"syncOnPage":1,"url":["//cm.ever

Timestamp	Bytes transferred	Direction	Data
2024-12-29 12:55:30 UTC	934	OUT	GET /id?d_visid_ver=4.4.0&d_fieldgroup=AAM&d_rtbd=json&d_ver=2&d_orgid=EA76ADE95776D2EC7F000101%40AdobeOrg&d_nsid=0&d_mid=81699440500871430363688403270984381028&d_blob=6G1ynYcLPuiQxYZrsz_pkqfLG9yMXBpb2zX5dvJdYQJzPXImdj0y&d_cid_ic=MC1%0163539283e80441aa9dfff040b635d212%012&ts=1735476928112 HTTP/1.1 Host: dpm.demdex.net Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: / Origin: https://www.microsoft.com Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://www.microsoft.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: demdex=81980359511806646913714319239841733483
2024-12-29 12:55:31 UTC	823	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 12:55:31 GMT Content-Type: application/json;charset=utf-8 Content-Length: 6666 Connection: close X-TID: DJKWNfXiToc= Strict-Transport-Security: max-age=31536000; includeSubDomains Cache-Control: no-cache,no-store,must-revalidate,max-age=0,proxy-revalidate,no-transform,private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 UTC P3P: policyref="/w3c/p3p.xml", CP="NOI NID CURa ADMa DEVa PSAa PSDa OUR SAMa BUS PUR COM NAV INT" Access-Control-Allow-Origin: https://www.microsoft.com Vary: Origin Access-Control-Allow-Credentials: true DCS: dcs-prod-irl1-2-v069-0799cd85a.edge-irl1.demdex.com 8 ms set-cookie: demdex=81980359511806646913714319239841733483; Max-Age=15552000; Expires=Fri, 27 Jun 2025 12:55:31 GMT; Path=/; Domain=.demdex.net; Secure; SameSite=None
2024-12-29 12:55:31 UTC	6666	IN	Data Raw: 7b 22 64 5f 6d 69 64 22 3a 22 38 31 36 39 39 34 34 30 35 30 30 38 37 31 34 33 30 33 36 33 36 38 38 34 30 33 32 37 30 39 38 34 33 38 31 30 32 38 22 2c 22 69 64 5f 73 79 6e 63 5f 74 74 6c 22 3a 36 30 34 38 30 30 2c 22 64 5f 62 6c 6f 62 22 3a 22 36 47 31 79 6e 59 63 4c 50 75 69 51 78 59 5a 72 73 7a 5f 70 6b 71 66 4c 47 39 79 4d 58 42 70 62 32 7a 58 35 64 76 4a 64 59 51 4a 7a 50 58 49 6d 64 6a 30 79 22 2c 22 64 63 73 5f 72 65 67 69 6f 6e 22 3a 36 2c 22 64 5f 6f 74 74 6c 22 3a 37 32 30 30 2c 22 69 62 73 22 3a 5b 7b 22 69 64 22 3a 22 34 31 31 22 2c 22 74 74 6c 22 3a 31 30 30 38 30 2c 22 74 61 67 22 3a 22 69 6d 67 22 2c 22 66 69 72 65 55 52 4c 53 79 6e 63 22 3a 31 2c 22 73 79 6e 63 4f 6e 50 61 67 65 22 3a 31 2c 22 75 72 6c 22 3a 5b 22 2f 2f 63 6d 2e 65 76 65 72 Data Ascii: {"d_mid":"81699440500871430363688403270984381028","id_sync_ttl":604800,"d_blob":"6G1ynYcLPuiQxYZrsz_pkqfLG9yMXBpb2zX5dvJdYQJzPXImdj0y","dcs_region":6,"d_ottl":7200,"ibs":[{"id":"411","ttl":10080,"tag":"img","fireURLSync":1,"syncOnPage":1,"url":["//cm.ever

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report T1#U52a9#U624b1.0.1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\$WINDOWS.~BT\Sources\Panther\diagerr.xml

C:\$WINDOWS.~BT\Sources\Panther\diagwrn.xml

C:\$WINDOWS.~BT\Sources\Panther\setupact.log

C:\$WINDOWS.~BT\Sources\SetupPlatform.ini

C:\$Windows.~WS\Sources\DU.dll

C:\$Windows.~WS\Sources\DiagTrack.dll

C:\$Windows.~WS\Sources\DiagTrackRunner.exe

C:\$Windows.~WS\Sources\Diager.dll

C:\$Windows.~WS\Sources\MediaSetupUIMgr.dll

C:\$Windows.~WS\Sources\Panther\DlTel-Merge.etl

C:\$Windows.~WS\Sources\Panther\Eula.rtf

C:\$Windows.~WS\Sources\Panther\diagerr.xml

C:\$Windows.~WS\Sources\Panther\diagwrn.xml

C:\$Windows.~WS\Sources\Panther\setupact.log

Windows Analysis Report
T1#U52a9#U624b1.0.1.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-29 12:55:31 UTC	713	OUT	GET /ibs:dpid=411&dpuuid=Z3FGwQAAAIPC1wOJ HTTP/1.1 Host: dpm.demdex.net Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://www.microsoft.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: demdex=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485
2024-12-29 12:55:31 UTC	891	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 12:55:31 GMT Content-Type: image/gif Content-Length: 42 Connection: close X-TID: n6Hu5OT3QnA= Strict-Transport-Security: max-age=31536000; includeSubDomains Cache-Control: no-cache,no-store,must-revalidate,max-age=0,proxy-revalidate,no-transform,private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 UTC P3P: policyref="/w3c/p3p.xml", CP="NOI NID CURa ADMa DEVa PSAa PSDa OUR SAMa BUS PUR COM NAV INT" X-Content-Type-Options: nosniff DCS: dcs-prod-irl1-1-v069-0dceb7b49.edge-irl1.demdex.com 2 ms set-cookie: dpm=81980359511806646913714319239841733483; Max-Age=15552000; Expires=Fri, 27 Jun 2025 12:55:31 GMT; Path=/; Domain=.dpm.demdex.net; Secure; SameSite=None set-cookie: demdex=81980359511806646913714319239841733483; Max-Age=15552000; Expires=Fri, 27 Jun 2025 12:55:31 GMT; Path=/; Domain=.demdex.net; Secure; SameSite=None
2024-12-29 12:55:31 UTC	42	IN	Data Raw: 47 49 46 38 39 61 01 00 01 00 80 00 00 00 00 00 ff ff ff 21 f9 04 01 00 00 00 00 2c 00 00 00 00 01 00 01 00 00 02 01 44 00 3b Data Ascii: GIF89a!,D;

Timestamp	Bytes transferred	Direction	Data
2024-12-29 12:55:31 UTC	637	OUT	GET /365868.gif?partner_uid=81980359511806646913714319239841733483 HTTP/1.1 Host: idsync.rlcdn.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://mscom.demdex.net/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-29 12:55:31 UTC	736	IN	HTTP/1.1 307 Temporary Redirect Cache-Control: no-cache, no-store Location: https://idsync.rlcdn.com/1000.gif?memo=CKyqFhIxCi0IARCYEhomODE5ODAzNTk1MTE4MDY2NDY5MTM3MTQzMTkyMzk4NDE3MzM0ODMQABoNCMONxbsGEgUI6AcQAEIASgA P3p: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: rlas3=7Duni9Is6QKMFg6L/mqucNLRKA4yKjzeBAXndzPoDRI=; Path=/; Domain=rlcdn.com; Expires=Mon, 29 Dec 2025 12:55:31 GMT; Secure; SameSite=None Set-Cookie: pxrc=CAA=; Path=/; Domain=rlcdn.com; Expires=Thu, 27 Feb 2025 12:55:31 GMT; Secure; SameSite=None Timing-Allow-Origin: * Date: Sun, 29 Dec 2024 12:55:31 GMT Content-Length: 0 Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	Bytes transferred	Direction	Data
2024-12-29 12:55:31 UTC	644	OUT	GET /getuid?https%3A%2F%2Fdpm.demdex.net%2Fibs%3Adpid%3D358%26dpuuid%3D%24UID HTTP/1.1 Host: ib.adnxs.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://mscom.demdex.net/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-29 12:55:31 UTC	1494	IN	HTTP/1.1 307 Redirection Server: nginx/1.23.4 Date: Sun, 29 Dec 2024 12:55:31 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Connection: close Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: policyref="http://cdn.adnxs-simple.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE" X-XSS-Protection: 0 Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: * Accept-CH: Sec-CH-UA-Full-Version-List,Sec-CH-UA-Arch,Sec-CH-UA-Model,Sec-CH-UA-Platform-Version,Sec-CH-UA-Bitness Location: https://ib.adnxs.com/bounce?%2Fgetuid%3Fhttps%253A%252F%252Fdpm.demdex.net%252Fibs%253Adpid%253D358%2526dpuuid%253D%2524UID AN-X-Request-Uuid: bfc4adc0-4e5f-4e74-9a10-b599e313d8ad Set-Cookie: XANDR_PANID=BZXHKZql-2YMKk-7V-hqTl77N6wfEL1GYZbNGSUayoQMp4BmPQQC6aHR3SlKXRTYDc0J4sq13dIHO3Fz88aU4HIql9-ITc2_buK9aDLmeZk.; SameSite=None; Path=/; Max-Age=7776000; Expires=Sat, 29-Mar-2025 12:55:31 GMT; Domain=.adnxs.com; Secure; Partitioned Set-Cookie: receive-cookie-deprecation=1; SameSite=None; Path=/; Max-Age=314496000; Expires=Sun, 17-Dec-2034 12:55:31 GMT; Domain=.adnxs.com; Secure; HttpOnly; Partitioned Set-Cookie: uuid2=7919660468872361886; SameSite=None; Path=/; Max-Age=7776000; Expires=Sat, 29-Mar-2025 12:55:31 GMT; Domain=.adnxs.com; Secure; HttpOnly X-Proxy-Origin: 8.46.123.189; 8.46.123.189; 868.bm-nginx-loadbalancer.mgmt.fra1.adnexus.net; adnxs.com

Timestamp	Bytes transferred	Direction	Data
2024-12-29 12:55:32 UTC	797	OUT	GET /pixel?google_nid=adobe_dmp&google_cm&gdpr=0&gdpr_consent=&google_hm=ODE5ODAzNTk1MTE4MDY2NDY5MTM3MTQzMTkyMzk4NDE3MzM0ODM= HTTP/1.1 Host: cm.g.doubleclick.net Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://mscom.demdex.net/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-29 12:55:33 UTC	880	IN	HTTP/1.1 302 Found P3P: policyref="https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Location: https://cm.g.doubleclick.net/pixel?google_nid=adobe_dmp&google_cm=&gdpr=0&gdpr_consent=&google_hm=ODE5ODAzNTk1MTE4MDY2NDY5MTM3MTQzMTkyMzk4NDE3MzM0ODM=&google_tc= Date: Sun, 29 Dec 2024 12:55:33 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-cache, must-revalidate Cross-Origin-Resource-Policy: cross-origin Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 378 X-XSS-Protection: 0 Set-Cookie: test_cookie=CheckForPermission; expires=Sun, 29-Dec-2024 13:10:33 GMT; path=/; domain=.doubleclick.net; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-29 12:55:33 UTC	378	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 63 6d 2e 67 2e 64 6f 75 62 6c 65 63 6c 69 63 6b 2e 6e 65 74 2f 70 69 78 65 6c 3f 67 6f 6f 67 6c 65 5f 6e 69 64 3d 61 64 6f 62 65 5f 64 6d 70 26 61 6d 70 3b 67 6f 6f 67 6c 65 5f 63 6d 3d 26 61 6d 70 3b 67 64 70 72 3d 30 26 61 6d 70 3b 67 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://cm.g.doubleclick.net/pixel?google_nid=adobe_dmp&google_cm=&gdpr=0&g

Timestamp	Bytes transferred	Direction	Data
2024-12-29 12:55:33 UTC	760	OUT	GET /1000.gif?memo=CKyqFhIxCi0IARCYEhomODE5ODAzNTk1MTE4MDY2NDY5MTM3MTQzMTkyMzk4NDE3MzM0ODMQABoNCMONxbsGEgUI6AcQAEIASgA HTTP/1.1 Host: idsync.rlcdn.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://mscom.demdex.net/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: rlas3=7Duni9Is6QKMFg6L/mqucNLRKA4yKjzeBAXndzPoDRI=; pxrc=CAA=
2024-12-29 12:55:33 UTC	745	IN	HTTP/1.1 307 Temporary Redirect Cache-Control: no-cache, no-store Location: https://dpm.demdex.net/ibs:dpid=477&dpuuid=779416a4c94a11361c21809cfac65e3347c1e49f6529a35cccf14d681b05f925b0da87c991749652 P3p: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: rlas3=BkMQ8jAjDTmMFg6L/mqucNLRKA4yKjzeBAXndzPoDRI=; Path=/; Domain=rlcdn.com; Expires=Mon, 29 Dec 2025 12:55:33 GMT; Secure; SameSite=None Set-Cookie: pxrc=CMWNxbsGEgUI6AcQABIGCPHrARAA; Path=/; Domain=rlcdn.com; Expires=Thu, 27 Feb 2025 12:55:33 GMT; Secure; SameSite=None Timing-Allow-Origin: * Date: Sun, 29 Dec 2024 12:55:33 GMT Content-Length: 0 Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	Bytes transferred	Direction	Data
2024-12-29 12:55:33 UTC	861	OUT	GET /bounce?%2Fgetuid%3Fhttps%253A%252F%252Fdpm.demdex.net%252Fibs%253Adpid%253D358%2526dpuuid%253D%2524UID HTTP/1.1 Host: ib.adnxs.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://mscom.demdex.net/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: XANDR_PANID=BZXHKZql-2YMKk-7V-hqTl77N6wfEL1GYZbNGSUayoQMp4BmPQQC6aHR3SlKXRTYDc0J4sq13dIHO3Fz88aU4HIql9-ITc2_buK9aDLmeZk.; receive-cookie-deprecation=1; uuid2=7919660468872361886
2024-12-29 12:55:34 UTC	1427	IN	HTTP/1.1 302 Found Server: nginx/1.23.4 Date: Sun, 29 Dec 2024 12:55:33 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Connection: close Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: policyref="http://cdn.adnxs-simple.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE" X-XSS-Protection: 0 Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: * Accept-CH: Sec-CH-UA-Full-Version-List,Sec-CH-UA-Arch,Sec-CH-UA-Model,Sec-CH-UA-Platform-Version,Sec-CH-UA-Bitness Location: https://dpm.demdex.net/ibs:dpid=358&dpuuid=7919660468872361886 AN-X-Request-Uuid: 4e191330-ca61-4ed6-9b2e-94c797dd3c83 Set-Cookie: XANDR_PANID=BZXHKZql-2YMKk-7V-hqTl77N6wfEL1GYZbNGSUayoQMp4BmPQQC6aHR3SlKXRTYDc0J4sq13dIHO3Fz88aU4HIql9-ITc2_buK9aDLmeZk.; SameSite=None; Path=/; Max-Age=7776000; Expires=Sat, 29-Mar-2025 12:55:33 GMT; Domain=.adnxs.com; Secure; Partitioned Set-Cookie: receive-cookie-deprecation=1; SameSite=None; Path=/; Max-Age=314496000; Expires=Sun, 17-Dec-2034 12:55:33 GMT; Domain=.adnxs.com; Secure; HttpOnly; Partitioned Set-Cookie: uuid2=7919660468872361886; SameSite=None; Path=/; Max-Age=7776000; Expires=Sat, 29-Mar-2025 12:55:33 GMT; Domain=.adnxs.com; Secure; HttpOnly X-Proxy-Origin: 8.46.123.189; 8.46.123.189; 868.bm-nginx-loadbalancer.mgmt.fra1.adnexus.net; adnxs.com

Timestamp	Bytes transferred	Direction	Data
2024-12-29 12:55:35 UTC	860	OUT	GET /ibs:dpid=477&dpuuid=779416a4c94a11361c21809cfac65e3347c1e49f6529a35cccf14d681b05f925b0da87c991749652 HTTP/1.1 Host: dpm.demdex.net Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://mscom.demdex.net/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489
2024-12-29 12:55:35 UTC	891	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 12:55:35 GMT Content-Type: image/gif Content-Length: 42 Connection: close X-TID: RFvg7l+zRAc= Strict-Transport-Security: max-age=31536000; includeSubDomains Cache-Control: no-cache,no-store,must-revalidate,max-age=0,proxy-revalidate,no-transform,private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 UTC P3P: policyref="/w3c/p3p.xml", CP="NOI NID CURa ADMa DEVa PSAa PSDa OUR SAMa BUS PUR COM NAV INT" X-Content-Type-Options: nosniff DCS: dcs-prod-irl1-1-v069-0a6138bf6.edge-irl1.demdex.com 3 ms set-cookie: dpm=81980359511806646913714319239841733483; Max-Age=15552000; Expires=Fri, 27 Jun 2025 12:55:35 GMT; Path=/; Domain=.dpm.demdex.net; Secure; SameSite=None set-cookie: demdex=81980359511806646913714319239841733483; Max-Age=15552000; Expires=Fri, 27 Jun 2025 12:55:35 GMT; Path=/; Domain=.demdex.net; Secure; SameSite=None
2024-12-29 12:55:35 UTC	42	IN	Data Raw: 47 49 46 38 39 61 01 00 01 00 80 00 00 00 00 00 ff ff ff 21 f9 04 01 00 00 00 00 2c 00 00 00 00 01 00 01 00 00 02 01 44 00 3b Data Ascii: GIF89a!,D;

Timestamp	Bytes transferred	Direction	Data
2024-12-29 12:55:35 UTC	819	OUT	GET /ibs:dpid=358&dpuuid=7919660468872361886 HTTP/1.1 Host: dpm.demdex.net Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://mscom.demdex.net/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755
2024-12-29 12:55:36 UTC	891	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 12:55:35 GMT Content-Type: image/gif Content-Length: 42 Connection: close X-TID: 6pDqE0p5S6Y= Strict-Transport-Security: max-age=31536000; includeSubDomains Cache-Control: no-cache,no-store,must-revalidate,max-age=0,proxy-revalidate,no-transform,private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 UTC P3P: policyref="/w3c/p3p.xml", CP="NOI NID CURa ADMa DEVa PSAa PSDa OUR SAMa BUS PUR COM NAV INT" X-Content-Type-Options: nosniff DCS: dcs-prod-irl1-1-v069-0eaa7db83.edge-irl1.demdex.com 2 ms set-cookie: dpm=81980359511806646913714319239841733483; Max-Age=15552000; Expires=Fri, 27 Jun 2025 12:55:35 GMT; Path=/; Domain=.dpm.demdex.net; Secure; SameSite=None set-cookie: demdex=81980359511806646913714319239841733483; Max-Age=15552000; Expires=Fri, 27 Jun 2025 12:55:35 GMT; Path=/; Domain=.demdex.net; Secure; SameSite=None
2024-12-29 12:55:36 UTC	42	IN	Data Raw: 47 49 46 38 39 61 01 00 01 00 80 00 00 00 00 00 ff ff ff 21 f9 04 01 00 00 00 00 2c 00 00 00 00 01 00 01 00 00 02 01 44 00 3b Data Ascii: GIF89a!,D;

Timestamp	Bytes transferred	Direction	Data
2024-12-29 12:55:36 UTC	648	OUT	GET /i/adsct?p_user_id=81980359511806646913714319239841733483&p_id=38594 HTTP/1.1 Host: analytics.twitter.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://mscom.demdex.net/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-29 12:55:37 UTC	571	IN	HTTP/1.1 200 OK date: Sun, 29 Dec 2024 12:55:36 GMT perf: 7402827104 server: tsa_b set-cookie: personalization_id="v1_qINRniee1m6dmxnwCWM25w=="; Max-Age=63072000; Expires=Tue, 29 Dec 2026 12:55:36 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=None content-type: image/gif;charset=utf-8 cache-control: no-cache, no-store, max-age=0 content-length: 43 x-transaction-id: 5ecc64912dbed3a0 strict-transport-security: max-age=631138519 x-response-time: 5 x-connection-hash: a82f2a546191d61377b52c62f36168fa7ab93d8a6ccd4bce73a35c0efd3fe829 connection: close
2024-12-29 12:55:37 UTC	43	IN	Data Raw: 47 49 46 38 39 61 01 00 01 00 80 00 00 ff ff ff 00 00 00 21 f9 04 09 00 00 01 00 2c 00 00 00 00 01 00 01 00 00 02 02 4c 01 00 3b Data Ascii: GIF89a!,L;

Timestamp	Bytes transferred	Direction	Data
2024-12-29 12:55:38 UTC	883	OUT	GET /ibs:dpid=771&dpuuid=CAESEIv6GK4jHao86K5Dl2BpM8w&google_cver=1?gdpr=0&gdpr_consent= HTTP/1.1 Host: dpm.demdex.net Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://mscom.demdex.net/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: demdex=81980359511806646913714319239841733483; dpm=81980359511806646913714319239841733483; dextp=358-1-1735476928296\|477-1-1735476928485\|771-1-1735476929489\|782-1-1735476930489\|992-1-1735476932755\|1123-1-1735476933485
2024-12-29 12:55:39 UTC	891	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 12:55:38 GMT Content-Type: image/gif Content-Length: 42 Connection: close X-TID: vKNlqyofQ4A= Strict-Transport-Security: max-age=31536000; includeSubDomains Cache-Control: no-cache,no-store,must-revalidate,max-age=0,proxy-revalidate,no-transform,private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 UTC P3P: policyref="/w3c/p3p.xml", CP="NOI NID CURa ADMa DEVa PSAa PSDa OUR SAMa BUS PUR COM NAV INT" X-Content-Type-Options: nosniff DCS: dcs-prod-irl1-2-v069-087795c31.edge-irl1.demdex.com 3 ms set-cookie: dpm=81980359511806646913714319239841733483; Max-Age=15552000; Expires=Fri, 27 Jun 2025 12:55:38 GMT; Path=/; Domain=.dpm.demdex.net; Secure; SameSite=None set-cookie: demdex=81980359511806646913714319239841733483; Max-Age=15552000; Expires=Fri, 27 Jun 2025 12:55:38 GMT; Path=/; Domain=.demdex.net; Secure; SameSite=None
2024-12-29 12:55:39 UTC	42	IN	Data Raw: 47 49 46 38 39 61 01 00 01 00 80 00 00 00 00 00 ff ff ff 21 f9 04 01 00 00 00 00 2c 00 00 00 00 01 00 01 00 00 02 01 44 00 3b Data Ascii: GIF89a!,D;